Attack on Beanstalk Farms results in $182M loss

Beanstalk Farms is the latest cryptocurrency platform to lose hundreds of millions of dollars to attackers.

PeckShield, a blockchain analytics company, initially reported the incident to Beanstalk through Twitter on Sunday. Hours later, PeckShield revealed the Ethereum-based decentralized stablecoin protocol lost $182 million in cryptocurrency assets. A further breakdown showed attackers stole more than 24 thousand Ethereum and 36 million Bean. After coin-mixing and exploit fees, PeckShield noted the hacker netted $80 million overall.

Beanstalk confirmed the attack on Twitter later that day, and said an investigation is ongoing.

"Beanstalk suffered an exploit today," Beanstalk Farms reported on Twitter.

While Beanstalk did not provide further attack details, PeckShield attributed its success to the use of a "flashloan" exploit. A portion of the stolen assets was used to pay the Flashloan fee, according to PeckShield's tweet.

In an email to SearchSecurity, PeckShield described flashloans as a "special form of loans, which involve the lending cryptocurrencies (from a pool) to a borrower without collaterals and require the immediate payment within the transaction."

1/ The @BeanstalkFarms was exploited in a flurry of txs (https://t.co/PMsdP5dnJG and https://t.co/wyHe3ARZgU),
leading to the gain of $80+M for the hacker (The protocol loss may be larger), including 24,830 ETH and 36M BEAN.

— PeckShield Inc. (@peckshield) April 17, 2022

After tracking the funds, PeckShield discovered the hacker laundered a portion using coin-mixing platform Tornado Cash. Threat actors increasingly obfuscate funds through mixers and tumblers, though the U.S. continues to implement sanctions to limit such activity. Tornado Cash recently announced it began using a Chainalsysis tool to block sanctioned wallets.

While "most of the result gains" were deposited to Tornado Cash, PeckShield noted that the hacker made a $250,000 cryptocurrency donation to Ukraine. In February, Ukraine announced it was accepting cryptocurrency donations, and a report by Flashpoint showed an increase in cryptocurrency addresses related to Ukraine donations following the invasion by Russia.

In the most recent Twitter update, Beanstalk sought help from the decentralized finance (DeFi) community and noted a willingness to work with the attacker.

"We're engaging all efforts to try and move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to discussion, we are as well," Beanstalk wrote on Twitter.

UPDATE 4/18: Beanstalk Monday posted a statement to Twitter that included a direct offer to the attacker. In exchange for the return of 90% of the stolen funds, the company promised to "treat the remaining 10% as a Whitehat bounty properly payable to you."

Beanstalk is not the first decentralized platform to issue a public plea. After suffering an attack last year, BadgerDAO not only provided a direct line of communication to the attacker but also offered compensation.

Though Beanstalk suffered a substantial loss, it was nowhere near the amount drained in cryptocurrency from an attack against Axie Infinity last month, when a threat actor breached the Ronin bridge and stole more than $600 million. In February, Wormhole saw a $320 million deficit from an attack that was also attributed to an "exploit." Prior to that, Crypto.com lost $15 million after an attack.

The sharp increase in use of cryptocurrency is making it a growing target for threat actors. Javed Samuel, vice president of NCC Group's cryptography services, told SearchSecurity that while many implementations in the cryptocurrency market are generally secure, he's observed a number of recent hacks and breaches.

"As the industry has matured, you have more money flowing into it. It becomes a target for attackers, where they can exfiltrate cryptocurrency tokens," Samuel said. "They take advantage of certain vulnerabilities they've observed and a lot of code may be public. So, you can take advantage of those vulnerabilities and lead to an easier way of exfiltrating value out of the system."