Beanstalk Farms protocol lost $180 million in exploit

Beanstalk Farms had been gaining a lot of traction but today, it lost a whopping 180 million dollars and hacker got out with $76 million. All funds stored in smart contract of Beanstalk Farms have been emptied.

If you ask us, this BEAN hack is really a bad SC design choice. Any system which operates over assets which can be flash-loaned should consider some form of timelock.

This hack includes 36 million BEAN tokens ($36M), $33M in Ethereum, $79.2M Bean3Crv-V Curve LP and $1.6M from BEAN-LUSD pair. Hacker funded his exploit with Synapse protocol bridge and then he created the BIP-18 proposal to donate 250k BEAN to Ukraine.

After that, he used a flash loan to get 350M DAI, 500M USDC, and 150M USDT from Aave; 32M BEAN from Uniswap v2 and 11.6M LUSD from SushiSwap.

Keep in mind that these tokens were used to add liquidity to Curve pools with BEAN for the governance voting. After that, hacker deployed and voted for a fake BIP-18 that moved all funds from the protocol contract to the exploiter. Then, he removed liquidity and repaid flash loans. Then, he converted all received funds into 24.8k WETH ($76M), which went to Tornado Cash to stay anonymous.

Exploiter borrowed funds, swap funds for Beanstalk governance token. Vote on BIP-18 to pass their exploit contract that drained the TVL. Exploiter empty the pool, and repay their loans. Left with 70M+, swap to ETH and Tornado’d it away.

All in one block…

— zerohash.x 🕊 (@xdxp) April 18, 2022

Hackers often use Tornado Cash to get clean ethereum in order to prevent getting caught by centralized cryptocurrency exchanges.