Yet Another Cryptocurrency Vulnerability
As recently as two weeks ago, we discussed the hack of the Ronin bridge in which hackers, suspected to be the notorious Lazarus Group based in North Korea, made away with over half a billion dollars worth of assets. Now, in the next edition of blockchain exploits, we discuss the Beanstalk Protocol and the flash loan hack, which resulted in renewed criticism of the safety measures employed by blockchain protocols.
The Ethereum-based stablecoin protocol lost $80 million worth of cryptocurrency, with total losses exceeding $180 million. The result is a broken $1 peg, with the stablecoin value tumbling over 80%. Before discussing the potential implications of this hack, it is crucial to understand how it took place. The hacker was able to exploit vulnerabilities in the ecosystem through flash loans.
What is a flash loan, you might ask?
A flash loan is a new uncollateralized loan popular in the Defi space for arbitrage investing and fast-paced trading. Although innovative, flash loans have opened the door for exploiting vulnerable Defi protocols, resulting in significant consumer losses. Flash loans utilize smart contracts, ensuring the amount loaned out is paid back in the same transaction; this is how they can offer these uncollateralized loans. Smart contracts guarantee the money is returned right away; it is an instantaneous transaction where the lender loans out and recovers the loan in seconds.
Utilizing these flash loans obtained through the lending platform Aave, the hacker acquired large amounts of the native governance token named Stalk. The hacker accumulated voting power in the ecosystem and used this newfound power to propose and pass governance legislation that allowed them to drain the protocol of its funds and transfer said funds into a different wallet address. According to a statement made by the Beanstalk team in its discord server, they were not using flash loan resistant measures to protect against this sort of attack. The protocol had not introduced measures that protected against this sort of attack, such as legislation requiring 67% of governance tokens to agree to a proposition into the ecosystem. The hacker borrowed enough funds to accumulate approximately a third of the governance tokens to propose and pass emergency legislation.
In a world where many decentralised protocols have considerable VC funding, ecosystems like Beanstalk are particularly vulnerable as they lack the backing to pay back customers. A few days before the hack, Beanstalk had $130 million in liquidity and celebrated $150 million of total value locked. Therefore, the hacker was able to steal the majority of assets in the ecosystem.
In a slightly ironic and humorous twist, it seems the hackers had some sense of a moral compass. They donated $250,000 of stolen funds to a wallet described as a Ukrainian relief fund.
On a more serious note, admins of the Discord server claim that, as a company, they do not have the means to bail out customers and have yet to figure out how to move forward. The lack of potential next steps is a worrying sign. In the new distributed economy, safety protocols are of utmost importance. Without centralized entities responsible for protecting ecosystems, protocols need to ensure ultimate protection mechanisms. Otherwise, hacks similar to this one or the Ronin Bridge hack will continue to occur and consumers will remain unprotected.
–
Aman Deol
NES.TECH