Beanstalk Farms protocol lost $180 million in exploit

Beanstalk Farms had been gaining a lot of traction but today, it lost a whopping 180 million dollars and hacker got out with $76 million. All funds stored in smart contract of Beanstalk Farms have been emptied.

Beanstalk Farms

If you ask us, this BEAN hack is really a bad SC design choice. Any system which operates over assets which can be flash-loaned should consider some form of timelock.

This hack includes 36 million BEAN tokens ($36M), $33M in Ethereum, $79.2M Bean3Crv-V Curve LP and $1.6M from BEAN-LUSD pair. Hacker funded his exploit with Synapse protocol bridge and then he created the BIP-18 proposal to donate 250k BEAN to Ukraine.

After that, he used a flash loan to get 350M DAI, 500M USDC, and 150M USDT from Aave; 32M BEAN from Uniswap v2 and 11.6M LUSD from SushiSwap.

Keep in mind that these tokens were used to add liquidity to Curve pools with BEAN for the governance voting. After that, hacker deployed and voted for a fake BIP-18 that moved all funds from the protocol contract to the exploiter. Then, he removed liquidity and repaid flash loans. Then, he converted all received funds into 24.8k WETH ($76M), which went to Tornado Cash to stay anonymous.

Hackers often use Tornado Cash to get clean ethereum in order to prevent getting caught by centralized cryptocurrency exchanges.