▲圖片標題(來源:cointelegraph)
Credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral from a security breach caused by two sinister governance proposals and a flash loan attack.
The problem for the protocol was seeded by suspicious governance proposals BIP-18 and BIP-19 issued on April 16 by the exploiter that asked for the protocol to donate funds to Ukraine. However, those proposals had a malicious rider attached to them which ultimately created the sinkhole of funds from the protocol according to smart contract auditor BlockSec.
This latest security breach of a decentralized finance (DeFi) protocol took place at 12:24 pm UTC. At that time, the exploiter took out $1 billion in flash loans from the AAVE (AAVE) protocol denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They used these funds to accumulate enough assets to take over 67% of the protocol’s governance and approve their own proposals.
A flash loan must be executed and repaid within a single block and usually calls on several smart contracts at once to complete. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin issuing platform on Ethereum.
This case was technically not a hack as the smart contracts and governance procedures functioned as designed. Flaws in their design were exploited, which project spokesperson “Publius” acknowledged in a meeting on April 18th when he said:
“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
Blockchain security analysis firm PeckShield notified the Beanstalk team via Twitter at 12:41pm UTC on April 17 that there might be an issue with the ominous statement: “Hi, @beanstalkFarms, you may want to take a look.”
At that point, it was too late. The exploiter had already made off with roughly $80 million in Ether (ETH) and Beans (BEAN) while the entire protocol lost its $182 million in total value locked (TVL) according to PeckShield. BEAN is currently down about 83% trading at $0.17 according to CoinGecko but troughed at $0.06 when the exploiter dumped their tokens.
The exploiter swapped BEAN for ETH and then sent the coins to Tornado Cash to cover their digital tracks. However, they also sent 250,000 USDC to the Ukraine Crypto Donation wallet.
At 11:49 pm UTC on April 17, Publius wrote that the project is likely lost since there is no venture capital backing to recoup losses, adding “We are f**ked.”
In a team and community meeting on the Beanstalk Discord channel on April 18, Publius doxxed the three individuals who developed the project. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, all of whom attended the University of Chicago together and conceived Beanstalk Farms.
Montoya said that the team had reached out to the Federal Bureau of Investigation (FBI) Crime Center and would “fully cooperate with them to track down the perpetrators and recover funds.”
轉貼自: XXX
留下你的回應
以訪客張貼回應