Flash loan attack takes Beanstalk Defi platform for $182 million, largest of its kind
Cybersecurity concerns about ransomware and data breaches have been rising over the past two years due to global events, but some threats may be overlooked in the constant blizzard of news. One is the growing popularity of flash loan attacks, targeting decentralized finance (DeFi) platforms that allow peers to grant instant, short-term loans to each other.
These attacks have increased in frequency and size since the start of 2020, and a recent theft of the DeFi platform Beanstalk is the largest to date. $182 million was lost to fraudsters, edging out the $167 million seen in the previous biggest attack campaign in 2021.
DeFi platform loses $182 million due to market manipulation
Flash lending attacks are essentially very fast crypto pump and dump that exploit the fast, unsecured borrowing available through some DeFi platforms, but some (like this one) can also exploit a platform’s structural vulnerabilities. -shape.
Flash loans are a form of peer-to-peer borrowing without any collateral. These loans are “secured” by setting a tight deadline within which repayment must be made; if the borrower does not do so at the end of the window, the entire transaction is automatically invalidated. The main use for these loans is day by crypto traders who want to raise significant capital quickly to seize an opportunity.
Of course, enterprising hackers soon found a way to exploit the system. In a basic flash loan attack, the borrower immediately uses the large amount of funds to purchase a large amount of a crypto asset, triggering a sell. This artificially drives the price down on that particular exchange, at least until the loan repayment window closes. Meanwhile, the attackers seize the now undervalued crypto asset and sell it to another exchange that maintains normal market prices.
Thus, the flash loan attack is not so much an attack on lenders (who are guaranteed to recover at least the amount they lent) but on other holders of the currency, and when it is large enough for the value of the platform issuing the currency itself. An example of the latter phenomenon was the flash loan attack on the PancakeBunny platform in May 2021, in which a loss of $3 million involving the platform’s Bunny tokens caused the price of the platform from $146 to $6.17 in the blink of an eye.
Beanstalk attacker managed to get away with $80 million in illicit crypto funds this way, although the platform is looking at a total loss of $182 million due to remediation and a steep drop of value that took the token from $1 to 11 cents in value overnight. In this case, the attacker took out a flash loan on the Aeve liquidity protocol and acquired a sufficient amount of the native governance token Stalk to have the power to push through a malicious proposal. This attack was different from some previous incidents because the ability to pass the proposal (by exploiting Beanstalk’s majority vote governance system) allowed the attacker to siphon money directly from the protocol wallet rather than exploiting simply an artificially created temporary arbitrage opportunity.
Creative Flash Loan Attack highlights holes in DeFi platforms
Years after the first flash lending attacks, some DeFi platforms are still struggling to put proper defenses in place to limit the possibility. This comes amid greater focus on DeFi platforms by cybercriminals, as they turn out to have many openings that are not available with fiat currency financial organizations or even some of the most popular cryptocurrencies. proven and most stable. While these platforms are riskier for traders than other options, they also often have hundreds of millions of dollars available if a hacker can successfully exploit one of these openings.
As KnowBe4 Security Awareness Advocate James McQuiggan notes: “This attack is undoubtedly a sign of things to come. Cybercriminals continue to target organizations with money. Major banking companies have worked to build strong security cultures to significantly reduce the risk of attack and successful breach. They are now turning to cryptocurrency and exchange organizations to infiltrate using social engineering attacks or targeting vulnerable perimeter systems that are not up to date on security updates or exposed. to other feats. Crypto and digital currency organizations need to strengthen their perimeters and ensure a strong security culture to reduce these attacks and align with other FinTech companies.
In the case of the Beanstalk attack, it wasn’t even a code exploit, but a clever hacker simply leveraging valid protocols in place in creative ways. The situation highlights the endemic problems of DeFi platforms, given their preference for majority voting systems and proof of stake as the centerpiece of security. These systems differ from the more secure “proof of work” behind Bitcoin and other similar cryptocurrencies, but remain popular because they use considerably less energy.
Funder Publius has posted messages stating that the project will likely be dead soon given that it has no venture capital, and apparently no real way to recoup the funds other than the long shot of striking a deal with the striker (who reportedly sent the entire $80 million to Tornado Cash already for the anonymous mix). The team has suspended all smart contracts at this time and says they are in contact with the FBI. One of the project managers responded to social media posts saying it was “inappropriate” for Publius to take responsibility for the breach.