On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.
The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.
In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.
The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time. In the case of the recent hack, the attacker borrowed close to $1 billion in cryptocurrency assets through a service called Aave, exchanged them for a 67 percent share in the Beanstalk project, voted through their own proposal to withdraw the entire treasury, and returned the borrowed funds — all in less than 13 seconds.
Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.
On February 12th, in a discussion room centered around a proposal to accept more kinds of cryptocurrency tokens in the “Silo” (Beanstalk’s central fund reserve), a user with the screenname Mr Mochi wrote:
Because of governance attacks, bribes and voter manipulation, governance doesn’t always go as it should. Is this a risk we are willing to take or will there also be an Emergency DAO (like Curve’s) who can block potential attacks?
Later they added:
There’s absolutely ways to mitigate some of this concern in an elegant manner ... As far as I can tell, the current rule-set does not account for flash loan governance attacks or rugpull tokens.
Replying to the comment, a Publius admin account wrote that such manipulation was “not a concern in any capacity until Stalk [governance token] is liquid.”
A concern about flash loans was also raised in an AMA-style session hosted by Publius on April 12th, a video of which is available on YouTube. Around 6 minutes into the video, a participant asks via chat: “Can the team go into ... why the protocol isn’t susceptible to flash loan type attacks?”
In response, a member of Publius discusses protections against price manipulation via flash loans but doesn’t address the possibility of flash loan-driven governance attacks.
With Beanstalk’s assets entirely depleted by the attack, the project has launched a 10-day fundraiser to try to replenish the lost funds. Without the benefit of VC funding, the company lacks the kind of deep pockets that have helped other hacked protocols backstop even bigger losses. But with the fate of the company hanging in the balance, the success of the fundraiser will depend largely on the community’s trust in the founding team to not make similar mistakes again.
Reached via Discord, Publius had not responded to a request for comment by time of publication.
Source: https://www.theverge.com/2022/4/22/23037325/beanstalk-dismissed-governance-attacks-lost-182-million