Algo Stablecoin Protocol Beanstalk Cut Down by Governance Hijack

A giant ‘flash-loan’ of over $1 billion in stablecoins befell the Beanstalk DeFi experiment

article-image

Source: Shutterstock and Beanstalk

share

key takeaways

  • An attacker drained 24,830 ether and 36 million BEAN tokens worth about $180 million
  • The attacker exploited a loophole in the protocol’s governance process to push through a malicious “improvement proposal”

Beanstalk Farms, billed as “a decentralized credit based stablecoin protocol,” was exploited on Sunday for paper losses of about $180 million — the year’s latest DeFi hack.

That pegs it as the fifth-largest protocol exploit on the tracking site Rekt Leaderboard and the second largest this year after the massive Ronin Bridge hack in March. Security firm PeckShield first reported the news.

Like the Ronin exploit, most of the stolen funds consist of ether, which the attacker quickly began funneling into privacy protocol Tornado Cash in an effort to obscure the tokens’ origin.

The group confirmed the exploit on Twitter Sunday and is now considering a path forward.

Beanstalk had recently celebrated a milestone, reaching $100 million in BEAN tokens minted. One BEAN was meant to be equal to one US dollar, but unlike stablecoins backed by fiat or crypto collateral, Beanstalk used a novel system of financial incentives to maintain its peg using credit rather than overcollateralization, according to its whitepaper.

The protocol had undergone one audit from blockchain security expert Omniscia, but the firm indicated in a post-mortem analysis that the production code which suffered the exploit differed from what the firm had audited.

The developers disputed that account during a live town hall meeting Sunday.

“We’re not in the business of pointing fingers [but] we did take a look at the report they published and didn’t feel that it was a genuine account of what occurred,” the lead developer said.

Omniscia pointed to a “flash-loan susceptible governance flaw” as the culprit, allowing the attacker to propose and then force through a malicious governance proposal that effectively withdrew all the protocol’s assets to the attacker’s wallet.

The trick was to use a massive flash-loan — borrowing vast sums that must be repaid within the same transaction — and circumvent the usual life cycle of a governance proposal. In a bit of DeFi magic using $1.04 billion in borrowed stablecoins, the attacker briefly acquired a supermajority of the protocol’s voting power, which was directed to immediately execute malicious code.

“The Beanstalk Protocol supported protocol upgrades via its Beanstalk-Improvement-Proposal (BIP) governance mechanism and as such, it was possible for an upgrade to perform arbitrary code execution thus allowing the attacker to retrieve their locked funds as part of their malicious update,” Omniscia wrote.

A 24-hour waiting period was in effect, but the offending BIP was disguised as a bid to donate funds to support Ukraine and passed the delay period before a supermajority vote would be effective.

“We thought it was very strange, but we obviously were not aware of what was going on, what attack was in progress,” the developers explained during the town hall.

“We’re going to do everything we can to find out who did this and bring them to justice.”

Following the exploit, the protocol‘s BEAN tokens immediately dropped in value by 90% and effectively all its other assets, including those deployed by the attacker, were liquidated, resulting in a net profit of about $75 million in ether and other tokens.

According to Beanstalk’s developers, “the existing [BEAN] should not be bought or traded as >33% of Beans are still in the exploiter’s custody. Given that the Bean token is not upgradable and has no blacklist capabilities, there is no way to remove these Beans from the exploiter’s custody. Thus, a new Bean ERC-20 token will need to be issued during a restart.”

According to PeckShield, the hacker sent $250,000 of USDC to an address in support of Ukraine.

Loading Tweet..

Seeds of hope

Despite the catastrophe, the protocol’s developers have pledged to continue work on the project.

Loading Tweet..

During the town hall and on the group’s Discord, the pseudonymous team took the extraordinary step of revealing their identities and explained their intention to cooperate with law enforcement in the hope of identifying the attacker and recovering funds.

This is not the first time flash-loans have been deployed in a DeFi exploit. Last year, Cream Finance was robbed of $130 million. That led its governance token CREAM to plummet by 70% — from which it has never recovered.

Unlike other high-value hacks, such as the Solana Wormhole bridge exploit, Beanstalk has no venture capital backing that could potentially provide a bailout to recapitalize the system.

The Beanstalk team did not immediately return a request for comment Monday.

In a follow-up blog post on Tuesday, the Beanstalk Farms team identified four “primary goals” for the project: “securing the enduring success of Beanstalk’s economic model; attracting sufficient capital to restart Beanstalk; preserving as much of each Farmers’ Stalk, Seed and Pod positions as possible, and; aligning new capital with previous Stalk and Pod holders.”

This story was updated on April 19 and 5:00 am ET.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

LTIPPanalysis.png

Research

This report is a retroactive analysis of Arbitrum's Long Term Incentives Pilot Program (LTIPP). We collect relevant data at a protocol level and review bi-weekly updates to analyze recipients, their strategies, and the impact of the incentives on high level growth metrics. In particular, we want to highlight outperformers and underperformers, and glean any best practices or lessons learned for protocols distributing ARB incentives in the future. The overarching goal is to synthesize lessons learned that the DAO can reference as it begins thinking about future incentives programs–namely, the working group for incentives that is being actively discussed–especially as Timeboost introduces new conditions for trading and economic activity.

article-image

BuilderNet is a new block building network designed to return more MEV and gas fees to users

article-image

Ledn’s John Glover gives some price targets to watch for bitcoin

article-image

Sponsored

AI project Zerebro intersects the spheres of artificial intelligence, finance, art, music, and culture

article-image

Allmight is focused on furthering the United States’ leadership in crypto

article-image

The conditions Charles Schwab is waiting for before jumping headfirst into crypto could take shape soon

article-image

The FCA’s director of payments and digital assets shared some takeaways from chats with crypto companies and law firms