Cyber Incident Victim: Beanstalk Farms
Date:
Apr 2022
Location:
United States of America
Summary
A decentralized finance protocol, Beanstalk Farms, suffered a flash loan attack where an exploiter borrowed nearly $1 billion in cryptocurrency via Aave, converted it into governance tokens to secure a supermajority voting stake, and approved malicious code to transfer approximately $182 million in assets to their wallet. After repaying the flash loan within seconds, the attacker netted around $80 million in profit. The breach caused the protocol’s stablecoin to lose its $1 peg, plummeting to roughly 14 cents, while users reported significant losses of staked funds with little recovery expectation due to the project’s lack of venture capital backing. Stolen assets were subsequently laundered through Tornado Cash, obscuring traces of the funds.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 17, 2022, Beanstalk Farms, a decentralized finance (DeFi) protocol designed to maintain a stablecoin pegged to $1, suffered a theft of approximately $182 million in cryptocurrency. Blockchain analytics firm PeckShield first detected the attack, estimating the attacker’s net profit at $80 million after accounting for borrowed funds used in the exploit. The attacker exploited Beanstalk’s governance mechanism, which granted voting power proportional to token holdings, by obtaining a flash loan—a short-term uncollateralized loan—through the Aave protocol. This loan provided nearly $1 billion in cryptocurrency, which the attacker exchanged for Beanstalk’s governance tokens ("beans"), securing a 67% supermajority stake. Within 13 seconds, the attacker used this voting control to pass a malicious proposal that transferred funds from Beanstalk’s central treasury ("the silo") to their wallet. The flash loan was repaid immediately, leaving the attacker with $80 million in stolen assets. Beanstalk’s development team, Publius, confirmed the attack on Twitter, stating they were investigating but had no immediate mitigation plan. The protocol’s code lacked safeguards against flash loan manipulation, a vulnerability the attacker leveraged to bypass governance controls.
The attack caused the BEAN stablecoin to lose its $1 peg, plummeting to approximately 14 cents by the following afternoon. Investors who staked funds in the protocol reported losses totaling tens of thousands of dollars, with no prospect of recovery due to Beanstalk’s lack of venture capital backing or contingency funds. Publius explicitly stated a bailout was “highly unlikely,” acknowledging the project’s dire state with the phrase “we are fucked.” The attacker began laundering proceeds through Tornado Cash, a privacy-focused cryptocurrency mixer, obscuring transaction trails. Blockchain security firm CertiK highlighted the attack as part of a rising trend of flash loan exploits in DeFi, emphasizing the risks of unaudited code and rushed decentralized governance implementations. Beanstalk’s Discord community expressed widespread distress over the losses, while experts like Fringe Finance CTO Brian Pasfield cautioned that decentralized autonomous organizations (DAOs) require gradual implementation and rigorous risk assessment to avoid creating unforeseen vulnerabilities. The incident underscored systemic challenges in DeFi governance models and flash loan security.