Algo StableCoin Protocol Beanstalk cut down by governance hijack
Algo StableCoin Protocol Beanstalk cut down by governance hijack
- An attacker has deducted 24,830 ether and 36 million Bean-token worth around $ 180 million $
- The attacker used a gap in the governance process of the protocol to enforce a malicious "suggestion of improvement".
Beanstalk Farms, which is called "a decentralized loan-based stable coin protocol", was used for paper losses of about $ 180 million on Sunday-the last defi hack of the year.
This makes it the fifth largest protocol exploit on the tracking site Rekt-Bestenlist and the second largest this year after the massive Ronin-Bridge-Hack in March. Safety company Peckshield First reported
As with the Ronin Exploit, most stolen funds consist of ether, which the attacker quickly initiated into the data protection protocol Tornado Cash to obscure the origin of the tokens.
The group confirmed the exploit on Twitter and Sunday and Is now In view of
Beanstalk had recently celebrated a milestone and achieved $ 100 million of born tokens. A bean should correspond to a US dollar, but in contrast to stable coins covered by fiat or crypto safety, a new system used a new system of financial incentives to maintain its binding by using loans instead of overpowering White paper .
The protocol was subjected to an audit of the blockchain security expert Omniscia, but the company gave in a an Post-Mortem-Analysis that the production code was affected by the Exploit deviated from what the company had checked.
The developers denied this account during a lives Citizens' assembly Sunday.
"We are not in the business with our fingers to show others [but] We looked at the report you have published and did not believe that it was a real report about what happened," said the main developer.
omniscia pointed to a “governance error that is susceptible to flash loans”, which enabled the attacker to propose a malicious governance proposal and then enforce them, which effectively withdraws all assets of the protocol in the wallet of the attacker.
The trick was to use a massive lightning credit-to borrow huge sums that have to be repaid within the same transaction-and to avoid the usual life cycle of a governance proposal. In a bit of defi magic using borrowed stable coins worth 1.04 billion US dollars, the attacker briefly acquired a super majority of the protocol voting rights that was directed to carry out malicious code immediately.
"The Beanstalk Protocol supported the protocol upgrades about its Beanstalk Icrovement Proposal (GDP) governance mechanism, and as such it was possible that an upgrade carried out arbitrary code, whereby the attacker was able to call up his blocked funds as part of his malicious update." Omniscia.
A 24-hour waiting period was, but the insulting GDP was disguised as an offer to donate funds to support Ukraine, and stranged the delay time before a coordination with a super majority would be effective.
"We found it very strange, but obviously we didn't know what was going on, which attack was in progress," the developers explained during the town hall.
"We'll do everything we can to find out who did it and put them in court."
After the exploit, the Bean-token of the protocol immediately lost 90 % and effectively all other assets, including those used by the attacker, were liquidated, which led to a net profit of around $ 75 million in ether and other tokens.
According to Peckshield, the Hacker USDC, worth $ 250,000, sent an address to support Ukraine.
4/The initial means of starting the hack are deducted @Synapseprotocol Results are paid in @Tornadocash . Currently 15,154 ETH remain in the hacker's account. Note that the hacker donates 250,000 USDC to Ukraine Crypto Donation. pic.twitter.com/jbjuj0jbgj
- Peckshield Inc. (@peckshield) 17. April 2022
seed of hope
Despite the catastrophe, the developers of the protocol have agreed to continue working on the project.
Today is a bad day, but it's not the end. We were overwhelmed by the support of our community this morning. The way forward is unclear, but the goal has never been so clear.
- Publius (@isthispuplius) 17. April 2022
during the town hall and so on The Discord of the group made the pseudonymous team undertook the extraordinary step to reveal their identity and their intention to work with the law enforcement authorities Hope to identify the attacker and reclaim funds.
This is not the first time that Flash loans are used in a defi exploit. Cream Finance was stolen by $ 130 million last year. This led to his governance token Cream collapsed by 70 %-from which it never recovered.
In contrast to other high-quality hacks, such as the exploit of the Solana Wurmloch Bridge, Beanstalk does not have a risk capital, which could possibly be a rescue operation for recapitalization of the system.
The Beanstalk team did not immediately answer on Monday to a request for comment.
. .
The contribution Algo StableCoin Protocol Beanstalk Cut Down by Governance Hijack is not a financial advice.
Kommentare (0)