Investigations

Beanstalk is a decentralised protocol that allows anyone to realise the value of an open, credit based stablecoin. The Beanstalk community of lenders, borrowers and savers secures a protocol-native stablecoin, Bean, with the goal of creating the world’s most accessible digital money system. By eliminating collateral requirements, Beanstalk aims to be the catalyst for a trustless solution to unlock the universal potential of decentralised finance.

Beanstalk, a decentralised credit based stablecoin protocol, was attacked at roughly 12:24pm UTC on April 17, resulting in a theft of ~$77M in non-Beanstalk user assets. The perpetrator used a flash loan to exploit the protocol’s governance mechanism and send the funds to a wallet they controlled. 

On the day of the attack, the Beanstalk contract on the Ethereum mainnet was exploited via a previously-unknown issue with Beanstalk’s governance process. The Beanstalk Farms team was immediately alerted and took action to temporarily shut off protocol governance and pause Beanstalk. Approximately $77M was stolen from the protocol’s liquidity pools. The team has since burned the remaining Beans in the exploiter contract.

Ref: https://bean.money/blog/beanstalk-governance-exploit

Contract Vulnerability

The root cause of the flaw is that the BEAN3Crv-f and BEANLUSD-f (used for voting) in the Silo system could be created via flashloan. However, lacking anti-flashloan mechanism in the Beanstalk protocol, the attackers can borrow numerous tokens that are supported by the protocol and vote for malicious proposals.

In detail, to execute the proposal by “emergencyCommit()”, the attacker needs to bypass the following checks: CV1

• Validation 1: Ensure the bip is started and has not been executed
• Validation 2: Ensure 24 hours has been passed since the BIP was proposed.
• Validation 3: Ensure the bip is still active and not expired
• Validation 4: Ensure the voting percentage towards a given BIP is no smaller than the threshold, which is ⅔.

As the BIP18 proposal was created one day ago, validation one will be bypassed. By flashloan, the BIP18 proposal gained more than 78% of the vote, which is more than 67%.