Deep Dive into High-Profile Crypto Exploits — Part I: Beanstalk Farms

Background

This attack is unique in the sense that there were no compromised keys, privilege escalation or a bug in the contract that was exploited. The attacker simply leveraged a design flaw in the governance protocol implementation and managed to accrue enough governance votes using a flash loan to achieve a majority and pass his malicious proposal.

  • Flash loan — a flash loan is a powerful DeFi tool that allows you to borrow funds (in the current attack, 1B$ were borrowed) from platforms like Aave & Compound. It is mainly used to amplify arbitrage gains. The catch is that all borrowed funds must be returned in the same transaction that they were borrowed.
  • Governance — a governance is a system for managing and implementing changes to a protocol. Users can submit proposals for changing parts of the system, such as moving funds from treasury, changing fees and more. Token holders can vote on whether or not to implement the change. This allows for a decentralized mechanism to reach an agreement on the future and growth of a protocol.
    Proposals are usually proposed by creating a smart contract that contains the proposal’s logic, and sending its address to the governance protocol.

The attack — A High-Level overview (For Dummies)

For those who are not interested in more detailed technical overview, here is an overview of the attack in layman terms:

  1. On April 16th the attacker proposed 2 malicious proposals to the Beanstalk governance protocol — The first one is meant to drain the liquidity and funds from Beanstalk, and the second one was made public and is meant to donate 250k$ to Ukraine.
    This second proposal’s code was made public and was specifically named with the ID of the first proposal, to mislead the community and hide the first, malicious, proposal.
    It is interesting to note that the attacker hid the malicious proposal’s logic until the block of the attack (more info on that can be found in the Deeper Dive section below).
  2. Almost exactly 24 hours later, on April 17th, the attacker borrowed 1 Billion USD using flash loans from Aave protocol, and purchased a large number of special BEAN protocol tokens called BEAN3CRV-f and BEANLUSD-f. These tokens can be used to vote on Governance proposals, and this is exactly what the attacker did.
  3. The attacker used the voting tokens mentioned above to call the emergencyCommit() function of the Beanstalk governance protocol to immediately approve both of his proposals.
    This was possible because using the 1B$ from the flash loan to purchase more than 70% of the voting tokens.
  4. The attacker paid the loan back with the profits from the drained liquidity, and was ultimately left with more than 23,000 ETH and more than 60,000,000 BEAN tokens
  5. Like most of the attacks, the attacker quickly moved all funds to Tornado.cash.

The attack — A Deeper Dive

Following is a more detailed chronological step-by-step analysis of the attack, including the relevant transactions and an explanation of some of the tricks the attacker used to hide his activity:

  1. The first step of the attack was deploying the contract of the public proposal to donate 250,000$ to Ukraine (which will be proposed in step 3 below)

The Attacker’s Tricks

The attacker used several methods to hide the attack in the 24 hour period he had to wait until he could execute it:

  1. The malicious contract’s proposal was never live, until the block of the attack — The attacker calculated the address the contract will have using the create2 opcode, and used it in the proposal on April 16th, even though the malicious contract was deployed only on April 17th
  2. The attacker deployed the malicious contract and executed the attack on the same block, so no one had the chance to review the code of the proposal
  3. The attacker precalculated the ID of the malicious proposal and deployed a seemingly innocent second proposal to donate to Ukraine, and named it with an incorrect ID to mislead investors and make them believe the malicious proposal was in fact the donation to Ukraine.

Mitigation

As sophisticated as the attack was, it didn’t rely on social engineering or a complex exploit.
Instead, it used a fatal flaw in the design of the Beanstalk governance protocol — the emergencyCommit function allowed any proposal to be accepted in a single transaction if an absolute majority of over 67% was reached.

Summary

As in most of the blockchain attacks, this attack could have also been avoided with a small change to the design of the protocol, or with better analytical and intrusion detection systems in place.

About Solid Group

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

  • audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
  • sniper bot protection tool
  • Smart contract auditing service

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Solidgroup

Solidgroup

822 Followers

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.