Ethereum-based stablecoin protocol—Beanstalk—underwent a hack on Sunday, owing to which, more than $80 million worth of cryptocurrencies, including Ethereum and BEAN, were drained.
The attacker hit where it hurt the most
In a series of tweets, blockchain security and data analytics company PeckShield went on to illustrate that the hacker executed made use of flash loans to execute the attack.
Initially, the attacker took a flash loan on the lending platform Aave which enabled them to hoard a large amount of Beanstalk’s native governance token, Stalk. With the voting power granted by these Stalk tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet.
On its part, Beanstalk did not use a flash loan resistant measure to determine the percentage of Stalk that had voted in favor of the proposal. Essentially, the hacker took advantage of this vulnerability and exploited the protocol.
The Block’s Igor Igamberdiev went on to clarify that the protocol had lost more than $181 million in total, but the attacker only gained $76 million.
Blockchain security firm Omnicia audited Beanstalk’s smart contracts and detailed the process in its post-mortem report.
Consequentially, the native BEAN stablecoin had lost its $1 peg and had dipped down to almost $0 on Sunday. Despite a slight recovery, the stablecoin was valued at $0.18 at press time.
Additionally, the exploiters had transferred about $250k from the exploited funds to Ukraine’s Crypto Donation wallet address.
Beanstalk endorsers take a step back
A few people from the community, like Anishk Mitra [Vice President at Goldman Sachs], had been fervently endorsing BEAN over the past few days. In fact, they went to label their shilling as “financial advice” and kept posting threads that highlighted the bright and rosy side.
Mitra deleted his Twitter account right after the hack, but was quick to re-activate it and claim that he’s “not hiding.” Responding back to a person on Twitter, he claimed that the exploit had hit his wallet “hard” too and he was dealing with an exploit like this for the “first time.”
In an apology thread posted, Mitra went on to admit that he shouldn’t have labeled the project to be a “lucrative opportunity.” He explicitly said,
“… now I not only feel like a moron, but also guilty for doing so”
Signs were there all along though
Well, people from the space like Mudit Gupta—Polygon’s CISO—kept highlighting the loopholes of such projects over the past few months, but people from the space hardly paid heed to it.
In short, there were warnings all across the board, but due to the sheer ignorance of the same, the hacker was successful in executing the hack.
Credit: Source link