Decentralized Finance (DeFi) promised to revolutionize finance. Before that revolution occurs, however, it will have to contend with its own leaky ship. While the amount of money locked in DeFi smart contracts has swollen to $75.87 billion, a series of hacks since last July have also exposed vulnerabilities in its algorithms.
The latest DeFi hack occurred yesterday, barely a month after another one that involved theft of $620 million worth of cryptocurrencies. This time around, the hacker made away with $182 million worth of various cryptocurrencies from Beanstalk, an algorithmic stablecoin protocol with a native cryptocurrency whose value is indirectly pegged to that of USDC – the world’s second-most popular stablecoin. Beanstalk was launched last August and its creators remained anonymous. Bloomberg writes they disclosed their identities on a Discord server after the hack attack.
A Hack with Flash Loans and Governance
The hack involved flash loans or DeFi loans in which the borrower does not need to put up a collateral. Crypto traders often use such loans for arbitrage opportunities. The hacker used a flash loan from Aave, a lending platform, to build up a commanding position in Beanstalk’s governance token – Stalk. Thereafter, they rammed through a fake protocol improvement proposal to gift ether – Ethereum’s native cryptocurrency – to a private wallet.
Coindesk reports that Beanstalk has acknowledged to not using a ‘flash loan resistant measure’ that enabled the protocol to assess and count the number of stakeholders voting in favor of the governance proposal. “This was the fault that allowed the hacker to exploit Beanstalk,” the project’s leads wrote in a blog.
The hacker donated $250,000 to a private wallet raising donations for Ukraine before funneling $80 million to Tornado Cash, a mixing service that obfuscates addresses. The protocol’s creators have not disclosed whether they intend to reimburse investors or if they know the hacker’s wallet addresses.
Since last July, different parts of the DeFi infrastructure have been targeted by hackers. While the latest attack targeted an algorithmic stablecoin protocol, others have targeted bridges and mixers. The common element among the recent spate of attacks is that they shine a spotlight on flaws – technical, design, and governance – in DeFi infrastructure.
Hackers have exploited smart contract code to rob interconnected systems of millions of dollars. But, even after audits, the code remains susceptible to criminal elements. The chain of responsibility in these emerging DeFi systems also remains unclear. After a crypto bridge to Solana – a layer 1 solution off of Ethereum that promises speedy transaction times – was hacked earlier this year, the bridge’s backers told Bloomberg that they were not “liable for anything” after the hack. [The firm still went ahead and reimbursed investors to the tune of $325 million].
Meanwhile it is unclear if gaming platform Axie Infinity, which raised $150 million from venture capital firms to reimburse users affected by a hack on its platform, was obligated to do so. The hacks also detail the problems in governance in such platforms. Proof of Stake (PoS) mining was supposed to be an energy-efficient alternative to the energy-intensive Proof of Work mining system. But it presents problems from a governance perspective.
The Beanstalk hacker was able to pass through a fake proposal because they had accumulated governance tokens using a flash loan. Another blockchain – Polygon – that uses PoS does not have on-chain governance mechanisms. This means that there is no way to dispute an invalid transaction on its network, meaning it is not immediately possible to catch or stop a fraudulent transaction on its network. Polygon has roughly $5.6 billion worth of valued locked in its bridges.