Beanstalk Stablecoin Smart Contract Flaw Exploited
Individual(s) exploited a flaw in the Beanstalk smart contract to move $80 Million worth of Beanstalk to a wallet of their choosing
- The individuals leveraged the Aave lending system to initiate a flash loan that provided them a 67% voting stake in the Beanstalk DAO
- With a majority voting stake, the individuals approved a change to the code that sent funds to their wallet
- Funds from the attack are now being laundered with Tornado Cash mixing service
On April 17, 2022, someone initiated a flash loan through the Aave lending protocol to establish a 67% voting stake and ability to implement changes in the Beanstalk code. Blockchain analysts appeared to first detect malicious activity around 8:41 AM on April 17.
Hi, @BeanstalkFarms, you may want to take a look: https://t.co/wyHe3ARZgU
— PeckShield Inc. (@peckshield) April 17, 2022
The individual then implemented a change in the code that sent $80 Million dollars worth of Beanstalk to this address:
https://etherscan.io/address/0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
It is important to note that unlike other crypto-related breaches, this incident did not involve any classic "hacking" techniques like social engineering or stolen passwords. Those responsible took advantage of conditions in the code. According to the Beanstalk website, a third-party assessor completed a code audit of Beanstalk in March 2022. However, it does not appear this flaw was detected during the audit.
The twitter user @CryptoShine identified the actual malicious code mofication here:
Here is the InitBip8 contract code containing the donation wallet address.
— CryptoShine (@CryptoShine) April 17, 2022
Contract created at: Apr-16-2022 09:52:35 AMhttps://t.co/MWcOyG7h6Z pic.twitter.com/hTaQk3PTC0
Someone claiming to be a software engineer with Beanstalk tweeted an update:
One month ago I left my job at Apple to work at Beanstalk. On Sunday, the protocol was exploited and drained of $78,000,000. Here’s what I’m seeing from the inside: pic.twitter.com/dqfZOSV7oc
— Cole Striler (@colestriler) April 20, 2022
As of April 21, the Beanstalk Farms development team is now offering the individual(s) responsible 10% of the funds moved as a "white hat" reward fee in exchange for returning the other 90%.
Sources
Staff Writer
https://etherscan.io/address/0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
William Foxley
https://www.kraken.com/en-us/learn/what-is-aave-lend
Here is the InitBip8 contract code containing the donation wallet address.
— CryptoShine (@CryptoShine) April 17, 2022
Contract created at: Apr-16-2022 09:52:35 AMhttps://t.co/MWcOyG7h6Z pic.twitter.com/hTaQk3PTC0
https://etherscan.io/tx/0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7
https://crypto.news/beanstalk-farms-whitehat-bounty-76m-crypto/