The Beanstalk cryptocurrency has been stripped of reserves valued at more than $180m (£138m) in seconds, after an attacker used borrowed money to snap up enough voting rights to transfer the money away.
The lightning hostile takeover raises fresh questions about the unregulated nature of digital currencies and the lack of protections for investors.
Describing itself as a “decentralized credit based stablecoin protocol”, Beanstalk offers a cryptocurrency, called beans, intended to have a stable value of $1 a coin. It effectively operated as a bank, letting savers (“bean farmers”) make deposits (or “beans” into a “field”), and using their savings to ensure that the value of a single bean stayed as close to $1 as possible.
Others were encouraged to deposit cryptocurrencies such as ether into a “silo” to build up the stablecoin’s reserves in exchange for voting rights over the operation of the organisation. On Sunday night, one such vote resulted in Beanstalk’s entire silo, worth around $182m at market rates, being transferred out of the organisation.
A still-unidentified attacker had borrowed $80m in cryptocurrency and deposited it in the project’s silo, gaining enough voting rights in exchange to be able to pass any proposal instantly. With that power, they voted to transfer the contents of the treasury to themselves, then returned the voting rights, withdrew their money, and repaid the loan – all in a matter of seconds.
“It’s very like a hostile corporate raid funded by junk bonds – except it was over in 10 seconds,” said David Gerard, the author of Attack of the 50 Foot Blockchain. “In regulated markets, we have laws and regulations on how you can take over a company and drain it, but it’s not clear that this action was illegal. Even the project concedes that the raider acted according to the rules that Beanstalk set out.”
Stephen Diehl, a cryptocurrency expert, said the attack was in a gray area. “It’s possible for someone to basically buy up all the shares in the organisation. In the normal corporate world this would be illegal because it’s embezzlement and self-dealing. However, with a DAO [decentralised autonomous organisation], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. It’s technically ‘legal’ in some sense, but it’s a very gray area.”
“Honestly not sure what to type,” the project’s co-founders said on Sunday in a Discord message announcing the losses. “We’re fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming.”
However, they disputed the claim that, because the attack exploited governance procedures, it was technically legal. “Earlier this morning, as soon as we learned of the attack, we contacted the FBI and informed the FBI’s internet crime center of the attack,” they wrote. “We intend to fully cooperate with the FBI to track down the perpetrators, and hopefully recover everything that was stolen.”
Immediately following the attack, the value of beans “broke the peg”, trading for significantly less than the $1 a token that was supposed to be the stable value. However, on Monday the stablecoin’s value had not hit zero and was around $0.12, since some traders were voluntarily buying beans, betting that some rescue package would arrive to rebuild the project’s treasury and restore the peg.