Beanstalk, a stablecoin based on the Ethereum blockchain, was hacked, and the project token has since lost almost all of its value. The hacker went through a crypto mixer, protocols that the authorities want to regulate.
182 million dollars: this is the sum that the Beanstalk project lost in a few moments on Sunday, April 17. Beanstalk, a credit protocol backed by a dollar-pegged stablecoin and running on the Ethereum blockchain, has been hacked. The hacker managed to walk away with over $80 million, but he also completely emptied the coffers of the project.
Hacks and thefts of DeFi (decentralized finance) projects have become common occurrences in the cryptocurrency world. Several major heists have taken place since the beginning of 2022, including the $540 million hack of the Ronin platform. In comparison, the losses suffered by Beanstalk are therefore not very high: it is “only” 182 million dollars lost. But how the hackers went about it is reigniting an important debate in the crypto world: transparency or privacy?
A “democratic” hack
It’s the business PeckShieldspecializing in blockchain security, who noticed the hack first and who managed to explain how the hacker had succeeded in his attack.
The hack was made possible thanks to one of the peculiarities of the Beanstalk project, which allowed users to get credit: the purchase of Stalk, the token of the project, gave access to decision-making powers. The hacker first used Aave, an instant cryptocurrency lending protocol, to purchase large amounts of Stalk. Once equipped with all his tokens, the hacker submitted a BIP (“ blockchain improvement proposal ”), or a proposal to improve the governance of the project.
However, the BIP submitted was not intended to contribute to the project: the proposal was intended to transfer funds from Beanstalk to the hacker’s wallet. All Beanstalk users can vote on BIPs, which usually allows for a more democratic way of running the protocol. Only, the hacker having bought a large quantity of Stalk, the latter was very easily able to vote for his own project, and have it accepted. Beanstalk had indeed a big security problem: no security protocol checked how many people owned the Stalks, which allowed the hacker to accomplish his theft without hindrance.
The hacker kept more than $80 million for himself, drained the project’s cash reserves, and also, according to PeckShield, donated $250,000 to Ukraine with Beanstalk funds. Since the announcement of the hack, the value of the project has literally plummeted from $1 to $0.17, according to CoinGecko. The project’s creators acknowledged the major security flaw in Beanstalk, which they said they were pausing, but did not say whether users would be able to get their money back.
Are mixers good for cryptocurrencies?
But the hacker couldn’t just transfer the stolen funds to his wallet and disappear. Transactions on the Ethereum blockchain are all transparent, so money transfers are easy to track. But, to make it impossible to trace him, the hacker did not simply send the funds to his personal address: he first went through a ” blender “Tornado Cash.
Mixers are services used to ensure the anonymity of Ethereum transactions, and they are popular. The mixers operate in ” mixing” the transactions customers want to make with those of other people, making the money untraceable by blockchain analytics tools.
If they are not illegal, mixers are very frowned upon by the banking authorities, because these services are often used to launder money, or to serve as an exit door for hackers. The NCA, national crime agency UK, has also called for the regulation of mixer services on March 15, 2022, in order to put an end to money laundering. But mixers are also regularly used by ordinary users who want to protect their privacy – a very important value within the crypto community.
In the case of Tornado Cash, the mixer had announced on April 15, two days before the hack, that it was now prohibiting transactions to wallets sanctioned for fraud by Ofac, the US Treasury control office. The announcement did not prevent the hack — and clearly shows the limits of such an announcement. Above all, within the community, the announcement of Tornado Cash had not gone unnoticed, and had raised some criticism. The Beanstalk hack will certainly not back down fans of discretion, but it will certainly strengthen the authorities’ motivation to regulate.