The $180+ Million Beanstalk Flash-Loan Crypto Hack, Explained

A crypto hack targeted Beanstalk Farms on April 17, causing the Ethereum-based dApp (decentralized app) to lose roughly $180 million. The hacker reportedly made off with nearly half of that amount, and the Beanstalk protocol continues to investigate what went down.

For now, it’s unclear whether Beanstalk—a stablecoin protocol—will get the funds from the crypto hack back. In the meantime, it’s enlisting anyone’s help, in true decentralized spirit.

Ethereum-based Beanstalk Farms cryptocurrency BEAN is a USD-pegged stablecoin that operates as an ERC-20 token. Co-founded by brothers Mike and Jack Ross in 2017, the protocol uses a decentralized credit facility, governance model, and price oracle.

A hacker was able to pass through Beanstalk’s decentralized governance mechanism and make off with several types of crypto tokens (including BEAN), amounting to about $182 million. The hacker reportedly made off with $80 million of that using flash loans of Beanstalk’s native governance token, STALK, sent through decentralized lending platform Aave. By passing governance, the hacker could then take other tokens in the millions.

Beanstalk Farms made it clear that it's “engaging all efforts to try to move forward.” Due to the egress of a large swath of tokens at the time of the attack, the value of USD-pegged BEAN plummeted temporarily.

About its next steps, Beanstalk says, “As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes [centralized exchanges]. If the exploiter is open to a discussion, we are as well.”

The centralized exchanges Beanstalk mentions are the means through which the hacker was able to withdraw the tokens for cash. Specifically, the hacker used TornadoCash to take out all but 15,154 ETH, or the equivalent of about $44 million, on April 18. Interestingly, the hacker sent about $250,000 in USDC to a Ukraine crypto DAO (decentralized autonomous organization).

On April 15, Beanstalk shared that it had achieved some major milestones. Namely, Beanstalk announced $150 million in TVL (total value locked, or the total of staked assets on the protocol), $130 million in liquidity, and a $95 million market cap for its BEAN token.

That all came crashing down with the hack. According to Beanstalk Farms, there’s no resolution yet—but that doesn’t mean there won’t be.

Regardless, the Beanstalk crypto hack goes to show that even stablecoins aren't without risk. When the security of the protocol is threatened, the value of a fiat-pegged token can still go kaput. This is especially true in the case of flash-loan attacks, which have plagued crypto assets such as Pancake Bunny, xToken, and C.R.E.A.M. Protocols should always use a flash-loan-resistant measure to increase the voting percentage required for flash-loan governance, but Beanstalk failed to do that.