Beanstalk loses B6.1bn in flash loan hit

Beanstalk loses B6.1bn in flash loan hit

The Beanstalk cryptocurrency lost 6.1 billion baht of reserves in a corporate flash loan attack when a raider obtained overwhelming voting rights to transfer money out of the organisation's reserves.

The Beanstalk decentralised autonomous organisation (DAO) functions similarly to a bank that pays interest while operating through smart contracts on the Ethereum blockchain.

Its cryptocurrency, beans, are designed to have a value equal to one dollar.

As a DAO, there were no authority figures in the project, but rather people could buy a governance token that allows them to make proposals and decisions for the organisation.

However, this setup allowed an unidentified attacker to take out a flash loan, or a borrowed sum of money and cryptocurrency that is paid back as part of the same transaction, to buy a great amount of governance tokens that allowed them to singlehandedly pass any proposal since they have over two-thirds of the votes.

With their voting power, the attacker made a proposal to donate 8.4 million baht to Ukraine for the war efforts, but also created a way for them to directly take funds from the DAO's reserve.

The entire operation was done in seconds, according to David Gerard, author of Attack of the 50 Foot Blockchain. He raised concern over the lack of regulations for cryptocurrency.

"In regulated markets, we have laws and regulations on how you can take over a company and drain it," he said.

The bean currency, which is usually valued at a dollar, dropped to 10 cents as of 1pm yesterday.

The project's founder, under the alias Publius, said "it's unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing" on the online messaging platform Discord.

The founder said the attack was permitted according to the rules and code that was implemented in the DAO.

"This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming," said the founder.

This is one of many decentralised finance attacks to occur this year. The play-to-earn game Axie Infinity was hacked for 21 billion baht last month, the Wormhole crypto platform was attacked for around 11 billion baht in February, and the Qubit Finance project lost 2.7 billion baht from hackers in January.

Do you like the content of this article?