Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack.
It might seem more like a corporate heist than a typical cyberattack. Still, this security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project’s liquidity pools.
On April 19, Beanstalk, a credit-based stablecoin protocol project based on Ethereum, said the platform was subject to a flash loan attack two days previously.
The cyberattack exploited the project’s protocol governance mechanism. According to a post-mortem conducted by Omniscia, the exploit occurred due to the recent implementation of the Curve LP Silos, “ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.”
Flash loan functions in DeFi projects allow users to borrow large amounts of virtual funds for a short period of time. In Beanstalk Farm’s case, voting powers were based on the amount of tokens held.
Omniscia says that after the attacker secured a flash loan — and, therefore, extensive voting rights normally used to accept or decline changes in the protocol’s code — an emergency governance mechanism was abused to ‘vote’ for a malicious proposal and allow themselves to send funds to a wallet they controlled.
The flash loan was then repaid….
