How to avoid a Beanstalk like ‘flash’ attack: An expert’s advice
Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited for US$182 million last Sunday. The attackers were able to gain US$80 million worth of cryptocurrency, which they laundered through the coin mixing tool Tornado Cash, which lets users send and receive crypto while obscuring its source.
“This attack was initiated by an actor who submitted a treacherous improvement proposal to the protocol posing as a relief gateway for Ukraine. The major problem here was with a review of BIP 18/19 that wasn’t critical enough and therefore allowed the attacker to exploit the protocol,” he says.
The major problem here was with a review of BIP 18/19 that wasn’t critical enough and therefore allowed the attacker to exploit the protocol
“Doing code audits is essential. Conducting a single audit on release is a good way to show you’re a legitimate project. However, it’s consistent auditing — especially when adding new code — that helps keep a project secure,” he further explains.
According to CoinDesk, the attacker got a flash loan on lending platform Aave, which was used to hoard a substantial amount of Beanstalk’s native governance token, stalk. Leveraging the voting power given by these stalk tokens, the attacker then lost no time in passing a malicious governance proposal that drained all protocol funds into a private Ethereum wallet.
“Smart contract and flash loan attacks can be prevented by staying abreast with threats and reviewing how new code will affect the protocol as a whole,” he says.
The blockchain security firm Omnicia audited Beanstalk’s smart contracts. But, the audit was done prior to the flash loan vulnerability occurrence, Beanstalk revealed after a Sunday post-mortem.
Smart contract and flash loan attacks can be prevented by staying abreast with threats and reviewing how new code will affect the protocol as a whole
“DAO governance is currently trending in the DeFi. While it is a necessary step in the decentralization process, it should be done gradually and with all the possible risks carefully weighted. Developers and administrators should be aware of new points of failure that can be created by developers or DAO members intentionally or by accident. This means that a scheduled review process could act as an important preventative measure.”
A decentralized autonomous organization (DAO) is an organization that runs fully and autonomously on a blockchain protocol according to rules encoded through smart contracts. By bypassing the need for human intervention or centralized coordination, DAOs are frequently called “trustless” systems.