BeanstalkFarms attack event analysis

0x01 event background

Published in

Coinmonks

7 min readApr 19, 2022

BeanstalkFarms, a credit-based decentralized StableCoin protocol, lost about $182 million in protocol losses as a result of the flash loans attack

Beanstalk Introduction

A decentralized credit-based stablecoin protocol.Decentralized computer networks that run on open source, permissionless protocols (e.g., Bitcoin4 and Ethereum) present the next economic and technological frontiers: trustless goods and services.

Beanstalk relies on 3 interconnected parts:

A decentralized price oracle,
The Silo, a decentralized governance mechanism, and
The Field, a decentralized credit facility.

Beanstalk issues 3 ERC-20 Standard tokens:

Beans, the Beanstalk stablecoin,
Stalk, a yield generating governance token, and
Seeds, which yield 1/10000 Stalk every Season.

Beanstalk relies on 3 interconnected parts:

A decentralized price oracle,
The Silo, a decentralized governance mechanism, and
The Field, a decentralized credit facility.

1. Decentralized Price Oracle

Beanstalk uses 2 Uniswap liquidity pools — USDC:ETH and BEAN:ETH — to create a decentralized price oracle. When the ratios of the two pools are identical, the price of 1 Bean is considered equal to $1.

Beanstalk calculates a Time Weighted Average Price (TWAP) for 1 Bean over each Season.

2. The Silo: a Decentralized Governance Mechanism

Beanstalk uses the Silo, the Beanstalk Decentralized Autonomous Organization, to create a robust decentralized governance mechanism.

0x02 Attacker information

The attack occurred on the Ethereum chain, and the main attack information is as follows:

• Attacker’s wallet address

0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4

• Main attack transaction

0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7

• Attacker-created contract

The main attack logic contract：0x79224bc0bf70ec34f0ef56ed8251619499a59def

0x728ad672409da288ca5b9aa85d1a55b803ba97d7

0xe5ecf73603d98a0128f05ed30506ac7a663dbb69

0x259a2795624b8a17bc7eb312a94504ad0f615d1e

• GovernanceFacet contract

0xf480ee81a54e21be47aa02d0f9e29985bc7667c4

0x03 Attack Analysis

before attacking the transaction

The analysis of the transactions of the attacker’s contract address found that the day before the main attack transaction 0xcd3146 occurred, the attacker exchanged 73 eth for BEAN through the Uniswap decentralized exchange, and then deposited the BEAN funds into the Beanstalk contract (in order to obtain proposals right)

Then the 0x259a2795624b8a17bc7eb312a94504ad0f615d1e contract was created, which is defined here as the proposal contract.

And then the attacker called the 0x956afd68 method twice in a row, which is the proposal method：propose((address,uint8,bytes4[])[],address,bytes,uint8)，and uses the contract just created ( 0x259a279 ) and an unknown proposal contract ( 0xe5ecf73603d98a0128f05ed30506ac7a663dbb69 ) as parameters,

Through the analysis of the project, it is known that if the proposal is passed, the content specified in the proposal contract will be executed immediately
Continuing to analyze the transaction, it is found that at the same time as the attack transaction, the attacker created the proposal contract through the 0x677660ce4 transaction （0xe5ecf73603d98a0128f05ed30506ac7a663dbb69 )

Continue to analyze major attack transactions：0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7

Attack Transaction Details

Attacker flash loan

The attacker obtained a large amount of funds from Aave, Uniswap V2, and SushiSwap respectively through flash loans as preparations for subsequent attacks. As can be seen from the figure below, the total flash loan amount of the attacker: 350,000,000 DAI, 500,000,000 USDC, 150,000,000 USDT, 32,100,950 BEAN and 11,643,065 LUSD.

Attackers switch flash loan funds

The attacker exchanged DAI, USDC and USDT funds in the above funds into 979,691,328 3Crv liquidity tokens in Curve.fi: DAI/USDC/USDT Pool, and exchanged 15,000,000 3Crv for 15,251,318 LUSD

Next, the attacker exchanged 964,691,328 3Crv tokens for 795,425,740 BEAN3CRV-f for voting, adding 32,100,950 BEAN and 26,894,383 LUSD to liquidity to get 58,924,887 BEANLUSD-f liquidity tokens.

Attacker votes on malicious proposal and withdraws money

The attacker will exchange the BEAN3CRV-f and BEANLUSD-f to vote on the proposal, resulting in the proposal being passed. As a result, Beanstalk Protocol contract transferred a large number of Tokens to the attack contract.

Attacker converts funds and repays flash loan

The attacker exchanged all BEAN3CRV-f obtained for 1,007,734,729 3Crv and all BEANLUSD-f for 28,149,504 LUSD.

Attackers return flash loans in SushiSwap and Uniswap V2

The attackers exchanged 16,471,404 LUSD for 16,184,690 3Crv. Subsequently, 511,959,710 3Crv were exchanged for 522,487,380 USDC, 358,371,797 3Crv were exchanged for 365,758,059 DAI, and 153,587,913 3Crv were exchanged for 156,732,232 USDT

Attacker repays Aave flash loan

Attacker transfers profitable funds

Attacker got 10,883 WETH and 32,511,085 BEAN after destroying UNI-V2 LP

The attackers donated 250,000 USDC worth about $250,000 to the Ukrainian cryptocurrency.

The attacker converted the profited cryptocurrency into 13,947 WETH and transferred it to the attacker’s contract. In the end, the attacker obtained a total of 24,820 WETH, worth about $72.08 million.

0x04 Vulnerability Details

By analyzing the attack process, it is found that the attacker has obviously performed the key operation of voting governance and succeeded in making a profit. Here, the governance contract GovernanceFacet is directly analyzed.

The attacker initiates a proposal through the GovernanceFacet contract propose method, generates the proposal id, and judges whether the attacker is qualified to initiate a proposal and the conditions for judging the number of proposals. Since the attacker has pledged funds through the previous operation, so If this condition is met, the proposal can be initiated normally.
Continue to see how the attacker meets the voting conditions for the proposal to pass:

In the contract, the vote method is usually used to vote for proposals. Here, the recordVote method is called to record the votes. The votes are calculated by the balanceOfRoots(account) method, which is the user’s fund address, and the attacker obtains the voteable Token through the flash loan fund exchange.so the attacker can take advantage of a large number of voting rights to make his proposal pass.
But why can the attacker transfer the funds directly after voting? Does the contract have no proposal time limit?
Moving on to another method of the GovernanceFacet contract, emergencyCommit submits proposals urgently.

It is clear from the contract code that the return time of the getGovernanceEmergencyPeriod() method is 1 day, which means that in the emergencyCommit method, as long as the proposal time is greater than one day, the method can be successfully called. Since the attacker has voted for malicious proposals through flash loan funds, So here emergencyCommit can be successfully executed and minted.

0x05 Summarize

Judging from this attack, the security risk is in the contract logic of on-chain governance-related functions. Since the number of user votes is determined based on the balance held by the user, and no time lock is added to the voteable funds, the attack results in an attack. The user initiates a malicious proposal and uses the flash loan to obtain a large amount of funds for voting, resulting in the final malicious proposal taking effect and the funds of the official project contract being transferred.

0x06 Security advice

It is recommended to strictly review the contract risks before the project is launched.
It is recommended to add time locks to important functions related to on-chain governance, proposal release, and proposal execution. If malicious proposals appear, they can also be buffered; avoid using the current fund balance of the account to count the number of votes, avoid repeated voting, and vote through flash loan borrowing;
The project party and the community should pay close attention to all proposals. If there is a malicious proposal, it is suggested that it should be prohibited from accepting voting and executing it during the proposal voting period;

ref:

Introducing Beanstalk

A Decentralized Credit Based Stablecoin Protocol

medium.com

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing