Beanstalk, a decentralized credit-based stablecoin protocol suffered an exploit on Sunday, April 17 which left $181M in various tokens missing.
“Beanstalk suffered an exploit today. The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.” Beanstalk wrote on its official Twitter page following the exploit.
According to a thread of tweets by crypto researcher Igor Igamberdiev, the attacker managed to make away with $76M out of the loot after the cleverly choreographed heist. According to researchers, the attack at hand was not a bridge exploit like in the case of Ronin but a flash loan attack.
The attacker reportedly flashloaned 350M $Dai, 500M $USDC, 150M $USDT, 32M $Bean, 11.6M $LUSD 2 from three dexes before adding the amounts to Curve.fi with BEAN for the governance voting.
The exploiter later used the acquired assets to vote for a BIP18 governance proposal that moved all funds from the protocol contract to the exploiter. The exploiter then “donated” 250,000 USDC to Ukraine’s crypto donation before using another portion to repay the flash loans. He later converted the remaining funds to 24.8k WETH ($76M), part of which was sent to Tornado cash while the rest (the initial amount used to launch the attack) was withdrawn using a DeFi bridge-Synapse.
As of writing, Beanstalk has asked for help from the DeFi community and experts in chain analytics “to help us limit the exploiter’s ability to withdraw funds via CEXes.” They have also said that they are willing to negotiate with the hacker. On the other hand, Tornado Cash is yet to respond.
Following a string of attacks on DeFi protocols in the past six or so months, Tornado Cash has increasingly come under fire for allegedly aiding investment fraud. Already, the protocol is under intense scrutiny from U.S. officials after a hack that saw circa $625 million drained off of Ronin, the blockchain network backing the Axie Infinity play-to-earn crypto game.
On Friday, Tornado Cash sought the services of crypto data research firm Chainalysis oracle contract to block OFAC sanctioned addresses from accessing the protocol, raising security hopes for Defi users. However, whereas this could help in mitigating the threat of laundering stolen assets, smart contracts running on the protocol are immutable meaning that hackers could still use Tornado Cash to anonymously cash out.
That said, it still baffles many how a clean mixer whose deposits in ETH tapped $1.1 Billion last month and has a 95% withdrawal rate using relayers “remains compliant” while still providing privacy.