Beanstalk crypto project hack restarts debate on mixer protocols

Beanstalk, a stablecoin based on the Ethereum blockchain, was hacked, and the project token has since lost almost all of its value. The hacker went through a cryptomixer, protocols that the authorities want to regulate.

$ 182 million: this is the sum that the Beanstalk project lost in a few moments on Sunday, April 17th. Beanstalk, a credit protocol backed by a dollar-peged stablecoin and running on the Ethereum blockchain, has been hacked. The hacker managed to run away with over $ 80 million, but he also emptied the project completely.

Hacks and thefts of DeFi (decentralized finance) projects have become commonplace in the cryptocurrency world. Several major robberies have taken place since the beginning of 2022, including the $ 540 million hack of the Ronin platform. By comparison, the losses that Beanstalk has suffered are therefore not very large: it is “only” $ 182 million lost. But how did the hackers go about it, reviving an important debate in the crypto world: transparency or privacy?

A “democratic” hack

That’s the business PeckShieldspecializing in blockchain security, who noticed the hack first, and who managed to explain how the hacker had been successful with his attack.

The hack was made possible thanks to one of the special features of the Beanstalk project, which enabled users to get credit: The purchase of Stalk, the project token, gave access to decision-making powers. The hacker first used Aave, a protocol for instant cryptocurrency lending, to buy large quantities of Stalk. When the hacker was equipped with all his tokens, he submitted a BIP (“ proposals for improving the blockchain ”), Or a proposal to improve the management of the project.

However, the submitted GDP was not intended to contribute to the project: the proposal was intended to transfer funds from Beanstalk to the hacker’s wallet. All Beanstalk users can vote on BIPs, which usually allows for a more democratic way of running the protocol. Only when the hacker had bought a large quantity of Stalk was the latter very easily able to vote on his own project and get it accepted. Beanstalk actually had a major security issue: no security protocol controlled how many people owned the stalks, allowing the hacker to carry out his theft without hindrance.

The hacker kept more than $ 80 million for himself, drained the project’s liquidity reserves and also donated, according to PeckShield, $ 250,000 to Ukraine with Beanstalk funds. Since the announcement of the hack, the value of the project has literally dropped from $ 1 to $ 0.17, according to CoinGecko. The creators of the project acknowledged the major security flaw in Beanstalk, which they said they put on hold, but did not say whether users would be able to get their money back.

Beanstalk crypto project hack restarts debate on mixer protocols
Hacks for crypto projects are very common // Source: Shubham Dhage / Unsplash

Are mixers good for cryptocurrencies?

But the hacker could not just transfer the stolen money to his wallet and disappear. Transactions on the Ethereum blockchain are all transparent, so money transfers are easy to track. But to make it impossible to track him down, the hacker not only sent the money to his personal address: he first went through a ” blender “Tornado Cash.

Mixers are services used to ensure the anonymity of Ethereum transactions and they are popular. The mixers work in ” mix” the transactions that customers want to make with other people, making the money untraceable with blockchain analysis tools.

If they are not illegal, mixers are very badly seen by the banking authorities because these services are often used to launder money or serve as a gateway for hackers. NCA, National Crime Agency UK, has also called for the regulation of mixer services on 15 March 2022 to put an end to money laundering. But mixers are also used regularly by regular users who want to protect their privacy – a very important value within the crypto community.

In the case of Tornado Cash, the mixer had announced on April 15, two days before the hack, that it was now banning transactions for wallets, sanctioned for fraud by Ofac, the US Treasury Department’s control office. The announcement did not prevent the hack – and clearly shows the limits of such a message. Above all, in the community, the announcement of Tornado Cash had not gone unnoticed and had raised some criticism. The beanstalk hack will certainly not back fans of discretion, but it will certainly strengthen the authorities’ motivation to regulate.

Leave a Comment