A credit-based stablecoin protocol, Beanstalk Farms suffered a major exploitation attack that led to a $182 million loss or more likely to say lost all its total value locked (TVL).
After taking advantage of security loopholes, the perpetrator performed two sinister proposals and a flash loan attack.
The attacker had tricked the protocol by creating flash loan assisted BIP18, a proposal with the code manipulation which enables the governance privilege to drain the pool fund. This proposal was passed by the protocol with the attacker’s false votes.
To bypass the ⅔ voting threshold, the attacker has captured the voting power by depositing tokens into the Diamond contract. By doing so, the attacker can borrow a flash loan and deposit it into the contract to obtain voting power.
As per the blockchain analyst, the attacker possessed 79% voting power, which was more than the threshold. Aftermath, the infected proposal has been executed that enabled the attacker to transfer a large amount of token supply to the attacker-controlled contract.
According to the blockchain analyst firm PeckShield, the attacker fled with over $80 million in Ether (ETH) and 36 Million in Beans (BEAN) from the protocol. However, the protocol horrifically lost all its total value locked (TVL), which was around $180 million.
The attacker exchanged BEAN tokens for ETH after receiving them in their own wallet. Initial funds were taken from the Synapse protocol to conduct the attack. The hacker had deposited the stolen funds on Tornado Cash to conceal the transaction.
Surprisingly, the attacker even donated 250,000 USDC to Ukraine to help in the ongoing conflict with Russia.
This is one of the largest attacks in less than a month performed on DeFi networks. Before this, Ronin network suffered an exploit of over $600M which is the largest DeFi attack to date. Ronin Network is the Ethereum sidechain for the NFT game Axie Infinity.