Beanstalk Hack Analysis & POC (Apr 17, 2022)

profile BlockApex
calendar April 27, 2022

Table Of Content

Share:

Introduction

Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol. It is a bit complex hack, let's break it down step by step.

Hack transaction

Hacker’s Address

Hacker Exploit Contract

Proposal creation transaction on BeanGovernance

Imperative Functions of the Protocol

Before diving into the hack let's analyze how the governance system worked for the protocol & why the proposal was important.

  1. The idea of a proposal is to modify the beanstalk protocol in any way that attracts or affects the interest of the community.
  2. A proposal for governance can be created by anyone who has deposited beans into the protocol. Anyone who hasn’t deposited beans will not be able to create the proposal.
  3. The proposal in this scenario is a smart contract that will be executed if enough votes pass for it. An example of this can be to whitelist other pools for governance voting, etc.
  4. If anything goes wrong, there is also an emergencyCommit function that bypasses all of the individual votes & executes the proposal. It can be called after a waiting period of one day. 

The Intent

The attacker created 2 Proposals.

  1. Malicious Proposal Contract (BIP18) 
  2. Ukraine donation proposal

The malicious contract requested the following tokens to be sent over the exploit contract address.

  1. BEAN3CRV-f, A BEAN-CRV metapool on curve.
  2. BEANLUSD-f, A BEAN-LUSD metapool on curve.
  3. UNI-V2 ETH/BEAN, A liquidity pool for ETH-BEAN.
  4. BEAN token.

Undertakings of the Exploit

  1. The attacker starts by taking a flashloan of $1 Billion from AAVE v2 containing the following assets.
    • 350,000,000 DAI
    • 500,000,000 USDC 
    • 150,000,000 USDT
  1. The attacker takes yet another Flashloan from Uniswap v2 for 32,100,950 BEAN & Sushiswap for 11,643,065 LUSD.
  2. Then the attacker deposits DAI, USDC & USDT to Curves 3Pool (DAI/USDC/USDT) to get 979,691,328 3Crv tokens.
  3. Exchange 15,000,000 CRV tokens to 15,251,318 LUSD on BEANLUSD-f pool.
  4. Add single asset liquidity 964,691,328 CRV to get 795,425,740 BEAN3CRV-f.
  5. The attacker deposits 32,100,950 BEAN & 26,894,383 LUSD to get 58,924,887 BEANLUSD-f
  6. The user then deposits BEANLUSD-f & BEAN3CRV-f to the beanstalk contract to get enough voting power.
  7. The attacker calls Diamond.vote(18) At this point user has control over 66% of the voting power.
  1. The proposal gets executed by calling the Diamond.emergencyCommit(18) function on beanstalk protocol which sends the following tokens back to the exploit contract.
    1. 36,084,584 BEAN
    2. 0.540716100968756904 UNI-V2 ETH/BEAN.
    3. 874,663,982 BEAN3CRV-f.
    4. 60,562,844 BEANLUSD-f.
    5. 100 BEAN minted to the exploit contract.
  2. Removes 874,663,982 CRV single liquidity to get 1,007,734,729 CRV tokens.
  3. Removes 60,562,844 BEANLUSD-f single liquidity to get 28,149,504 LUSD.   
  4. Returns flashloan of 11,678,100 LUSD to Sushiswap.
  5. Returns flashloan of 32,197,543 BEAN to Uniswap V2.
  6. Exchanges 16,471,404 LUSD to get 16,184,690 CRV on LUSDCRV-f.
  7. Removes liquidity from 511,959,710 3CRV Pool to get 522,487,380 USDC, 358,371,797 DAI, 156,732,232 USDT.
  8. Returns flashloan on aave for 350,315,000 DAI, 500,450,000 USDC & 150,135,000 USDT.
  9. Removes liquidity on 0.540716100968756904 Uniswap V2 to get 10,883 Eth & 32,511,085 BEAN.
  10. Donated 250,000 USDC to Ukraine Donation Wallet. 
  11. Swap 15,443,059 DAI to 15,441,256 USDC on Uniswap V3.
  12. Swap 37,228,637 USDC for 11,822 Eth on Uniswap V3.
  13. Swap 6,597,232 USDT for 2,124 Eth on Uniswap V3.
  14.  Leaving the attacker with over 24k Eth ~ $72M in profit.

The Exit Strategy

The hacker used tornado cash & split the ~24k Eth into chunks of 1, 10 & 100 Eth to disappear in thin air. One thing to note is that this hack was a result of a bad governance design and not the economic design.

HACK YOURSELF!

Here is the Github repo that has POC for the hack.

Also see Cream Finance Hack: What Motivates Hackers to Return Stolen Funds?

More Audits

 DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

BlockApex
May 31, 2023
Dforce Network - February 13, 2023

The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

BlockApex
June 14, 2023
ZUNAMI - Hack Analysis

Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M.

BlockApex
September 8, 2023
Jimbo's Protocol - Monday, May 28, 2023

Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.

BlockApex
September 7, 2023
Consumer Privacy & Data Breach Part II - Is Web 3.0 The Cure?

The last few years have resulted in consumer privacy and data breach issues. Those issues have made the users conscious and ambiguous about the data on the internet. Read more in this blog.

BlockApex
June 20, 2022
Cryptocurrency: Cutting-edge or Criminal?

As the positive hype around cryptocurrency increases, so does the negative. Many argue that the very benefits of decentralization and anonymity result in it being favored for use in a host of illegal activities. However, is outright banning a viable solution?

BlockApex
December 9, 2021
Off-Chain Security: A Rising Reason For Recent Hacks?

An off-chain transaction deals with values outside the blockchain and can be completed using a lot of methods. To carry out any kind of transaction, both functioning entities should first be in agreement, after that a third-party comes into the picture to validate it.

BlockApex
February 23, 2022
Kokomo Finance - Hack Analysis (March 27, 2023)

Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

BlockApex
August 8, 2023
Flashbots & MEVs: A Beginner’s Guide

The unfavourable effect brought by MEVs continues to gain recognition globally, with many believing MEVs capable of providing serious risk to Ethereum’s future. Amidst this crisis, research organization Flashbots has emerged with a solution.

BlockApex
November 16, 2021
1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023