A flash loan exploit occurred on April 17, 2022 on Beanstalk Farms. Approximately $182 million was lost, with the attacker gaining $76 million as profit. The incident is due to the governance mechanism, in which the attacker used a flash loan to amplify the governance token amount and ultimately control the result to pass the proposal by draining the funds.
The attack began with the exploiter depositing BEAN tokens into Beanstalk, allowing them to create a malicious proposal named “InitBip18”. This proposal allowed the exploiter to transfer assets after a 24-hour window in order to invoke the contract “emergencyCommit()”. The exploiter then used flash loan to deposit 350M Dai (~$350M USD). The assets are converted to 795,425,740 BEAN3Crv-f and 58,924,887 BEANLUSD-f and then swapped using Curve.fi. The exploiter deposited all gained assets from the flash loan into a Beanstalk Diamond contract and voted for the malicious BIP18 proposal. The emergencyCommit() is immediately invoked, triggering the malicious BIP18 proposal.
As a result of the attack, the exploiter gained the following assets: 36M BEAN, 0.54 UNIV2 (BEAN-WETH), 875M BEAN3Crv and 61M BEANLUSD-f. The exploiter paid back the flashloan and gained the remaining assets as profit, valued at $112,161,617.718. They converted the tokens to ETH and transferred them to Tornado Cash, a crypto obfuscation service. The flashloan attackers have transferred ~9700 ETH to Tornado Cash at this time.
Propose BIP18: https://etherscan.io/tx/0x68cdec0ac76454c3b0f7af0b8a3895db00adf6daaf3b50a99716858c4fa54c6f
Launch attack to execute BIP18: https://etherscan.io/tx/0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7
Victim Contract: https://etherscan.io/address/0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5#code
Attacker address: https://etherscan.io/address/0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4
Malicious Proposal: https://etherscan.io/address/0xe5ecf73603d98a0128f05ed30506ac7a663dbb69
Attacker Initial fund activities: https://arbiscan.io/address/0x71a715ff99a27cc19a6982ae5ab0f5b070edfd35 https://debank.com/profile/0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4/history
The attacker deposited some BEAN token to Beanstalk for creating a malicious contract/proposal “InitBip18”. The proposal was used for transferring asset to the attacker and took 24 hour to proceed in order to invoke “emergencyCommit()”.
The attacker flashloaned 350M Dai, 500M USDC, 150M USDT, 32M Bean and 11.6M LUSD
The flashloaned assets are converted to 795,425,740 BEAN3Crv-f and 58,924,887 BEANLUSD-f:
1B (~ 350M Dai, 500M USDC, 150M USDT) were added to Curve.fi pool as liquidity, and received 979,691,328 DAI/USDC/USDT 3Crv token.
15M 3Crv in the above step is swapped for 15,251,318 LUSD and the remaining Crv are converted for 795,425,740 BEAN3Crv-f
32,100,950 BEAB and 26,894,383 LUSD were added as liquidity and receive 58,924,887 BEANLUSD-f in return
The Attacker deposited all the gained assets from the flashloan in Diamond contract and voted for the malicious BIP18 proposal.
The emergencyCommit() was immediately invoked to execute the malicious BIP18 proposal.
After the step 3 and 4, the attacker was able to drain the 36,084,584 BEAN, 0.54 UNIV2(BEAN-WETH), 874,663,982 BEAN3Crv and 60,562,844 BEANLUSD-f.
The attacker used the drained assets (in Step5) to repay the flashloan and gain the rest as profit:
874,663,982 BEAN3Crv are removed from liquidity for 1,007,734,729 3Crv
60,562,844 BEANLUSD-f are removed from liquidity for 28,149,504 LUSD
Repay 11,678,100 LUSD and 32,197,543 BEAN to corresponding pools
16,471,404 LUSD were swapped for 16,184,690 3Crv
Burn all the 3Crv for 522,487,380 USDC, 365,758,059 DAI and 156,732,232 USDT
Repay 350,315,000 DAI, 500,450,000 USDC and 150,135,000 to corresponding pools
0.54 UNIV2(BEAN-WETH) were removed from liquidity for 10,883 WETH and 32,511,085 BEAN
250,000 USDC were transferred to Ukraine Crypto Donation
15,443,059 DAI were swapped for 11,822 WETH and 37,228,637USDC were swapped for 2,124 WETH
Finally, 24,830 WETH were transferred to the attacker.
The root cause of the flaw is that the BEAN3Crv-f and BEANLUSD-f (used for voting) in the Silo system could be created via flashloan. However, lacking anti-flashloan mechanism in the Beanstalk protocol, the attackers can borrow numerous tokens that are supported by the protocol and vote for malicious proposals.
In detail, to execute the proposal by “emergencyCommit()”, the attacker needs to bypass the following checks:
Validation 1: Ensure the bip is started and has not been executed
Validation 2: Ensure 24 hours has been passed since the BIP was proposed.
Validation 3: Ensure the bip is still active and not expired
Validation 4: Ensure the voting percentage towards a given BIP is no smaller than the threshold, which is ⅔.
As the BIP18 proposal was created one day ago, validation one will be bypassed. By flashloan, the BIP18 proposal gained more than 78% of the vote, which is more than 67%.
4/17/2022 12:24:16 PM +UTC 24830.v ($ 76,199,168.8584)
36,398,226.9242 Bean -> 36,398,226.9242 ($1/Bean) -> price drop after attack($0.22/Bean)
24,830.1169 ETH -> 75763390.7935 ($3051.27/ETH)
For a total: 112,161,617.718
4/17/2022 3:24:25 PM +UTC 24849.1 ETH were transferred out to Tornado cash($76,424,649.505 ) -> 9 ETH may belong to the attacker
36,398,226.924163 BEAN -> $7,237,256.33 are still inside the attacker contract 0x79224bC0bf70EC34F0ef56ed8251619499a59dEf
Beanstalk Farms tweeted a public announcement on the day of the attack confirming that an exploit took place. Two days after the exploit, Beanstalk Farms published an official announcement explaining their immediate actions after the incident. Their team alerted and temporarily shut off protocol governance and paused Beanstalk. They claim that approximately $77M was stolen from the liquidity pool and that they have burned the remaining tokens in the exploiter contract. The team remains committed to the ongoing project.