Beanstalk cryptocurrency heist: scammer votes himself all the money

Back when the Bitcoin protocol was invented, the idea was to build a simple global payment system that wasn’t (and couldn’t be) controlled by any central broker.

In other words, you wouldn’t need to apply to a private company for a credit card, or to get permission from a regulator to send cash abroad, or to risk having incoming payments confiscated by a corrupt bank or central government, or to negotiate a series of complex exchange rates determined by other people, or to wait for the companies at each end of the transaction to decide that it was time to let it go through.

You could simply and directly trade online with someone else who decided that the bicoinage you were offering was somehow worth what they were giving you in return.

For better or worse, however, cryptocurrency networks such as Bitcoin have largely devolved into investment schemes instead of payment systems.

People tend to trade in Bitcoin, as they might in stocks and shares, rather than trading with it, as they would with cash, a credit card, or (in the olden days) a chequebook.

De-Fi to the rescue

So, a new wave of cryptocurrency systems dubbed De-Fi, short for decentralised finance, has arisen to fill that transactional void.

De-Fi systems don’t just aim to provide an algorithmic basis for digital currency, but instead to provide a fully-fleged alternative to the old-school, tightly regulated world of commercial banking.

Instead of depositing your funds with a licensed and regulated bank, and then trading with those funds by choosing from a carefully curated list of transaction types, De-Fi systems let you invest your money with them, in return for access to a “smart contract” system that allows you trade automatically with other users of the system in a way to suit yourself.

In very simple terms: you write your financial contracts as a chunk of computer code, and the De-Fi system processes it to handle and disburse your income as you choose.

If you wanted, for example, you could code a smart contract that waited for a payment from X, then automatically divvied up the funds between you and two friends in the ratio 6:5:4, unless the money arrived after a certain date, in which case the ratio would be 7:6:2. (You might want to offer the third recipient an automated incentive for helping you to secure early payment.)

By using distributed ledgers known as a blockchains, a sort of community-operated bookkeeping venture where transactions are agreed and recorded by consensus, De-Fi services don’t need to be managed by a traditional organisation such as a government’s central bank or a global payment card behemoth.

What could possibly go wrong?

Unfortunately, as we’ve written on Naked Security several times before, there’s quite a lot that can go wrong when you entrust your hard-earned income to a decentralised and largely unregulated operator.

What if the De-Fi service you choose is actually just a bunch of smoke and mirrors, and the founders of the “business” intended all along simply to run off with your “investments”? What if the founders are incompetent? What if the hastily constructed websites on which the business is based are full of cybersecurity holes?

What if the underlying cryptographic protocols themselves, on which the De-Fi company’s smart contracts are based, contain exploitable loopholes?

This last problem is what seems to have sunk the De-Fi company Beanstalk over the Easter weekend, where a scammer was apparently able to pull off a transaction sequence that went something like this:

1. Propose an “emergency transaction” that included paying funds to the scammer, under the guise of donating $250,000 to a Ukraine relief appeal. (This special transaction would require a two-thirds majority vote by the community, based on the collateral held by each voter. As you’d imagine, this sort of proposal would be unlikely to get voted through by anyone except the scammy proposer, whom you wouldn’t expect be able to come up with the massive financial collateral needed to vote it through.)

2. Wait long enough for voting on the “emergency transaction” to be activated.

3a. Borrow close to $100m in cryptocurrency from elsewhere in order to achieve the supermajority necessary to outvote everyone else.
3b. Approve the “emergency transaction” using the suddenly-acquired supermajority powers, transferring everything from Beanstalk to scammer.
3c. Instantly repay the absurdly-sized loan used to take control of the voting process.

4. Push the bulk of the remaining cryptomoney through a coin-tumbling service and keep it.

Beanstalk, according to its own blog, has thereby lost about $76 million of other people’s money, just like that.

Obviously, given that hindsight gives you the benefit of 6/6 vision, the core of the the problem here is that the protocol permitted the processes listed above as 3a, 3b and 3c to be conducted as if they were a single transaction, thus allowing what the De-Fi sector refers to as a flash loan (one that’s borrowed and repaid in one go, as part of an indivisible operation) to be used to acquire momentary but total power over the cryptocurrency service.

We suspect that most readers will agree that this sidestepped the spirit, if not the letter, of the supermajority provision in the “emergency transaction” process that Beanstalk had put in place.

(Traditional banks typically use well-known protocols for “emergency” operations, such as opening vaults, that make it physically as well as technically difficult for one individual to act in place of several. Notably, these protocols are meant to make it unlikely that one person could pull off a solo megaheist without getting detected in time.)

Was it even a crime?

Nevertheless, as some observers have noted, the scammer in this case might not have broken any laws, depending on how you view legalistic phrases such as “unauthorised access”.

Beanstalk’s cryptocurrency token BEAN prided itself on being what’s known as a stablecoin, meaning that the system varied the way it rewarded buying into and cashing out of the service in order to maintain a real-world value of about $1, thus avoiding the inherent fluctuations that effectively turned Bitcoin from a trading currency into an investment service.

Sadly, despite managing quite well to maintain that stable $1 value point recently, BEAN tokens – those that are left with regular account holders, anyway – are now trading at just a few cents, according to Coingecko:

What to do?

An early reponse on social media by an alleged project spokeperson known as Publius expressed the desperation that everyone other than the scammer must have felt:

Honestly not sure what to type. We are f****d. This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming.

Beanstalk has tried the approach that seemed to work for De-Fi outfit Poly Networks last year, when a hacker made off with hundreds of millions due to a smart contract exploit: grovel politely, and ask for the money back.

The desperate Beanstalk operators sent a message via the ETHER blockchain to the scammer, whom they’ve dubbed The Exploiter, as follows:

496e207468652077616b65206f6620796573746572646179277320
61747461636b2c204265616e7374616c6b204661726d73206d616b
65732074686520666f6c6c6f77696e67206f6666657220746f2074
6865204578706c6f697465723a0a0a496620796f752077696c6c20
72657475726e20393025206f66207468652077697468647261776e
2066756e647320746f20746865204265616e7374616c6b20646570
6c6f796d656e742077616c6c657420307832314445313842364138
663738654465364431364335304131363766364232323244433038
4446372c204265616e7374616c6b2077696c6c2074726561742074
68652072656d61696e696e67203130252061732061205768697465
68617420626f756e74792070726f7065726c792070617961626c65
20746f20796f752e0a0a54686f7573616e6473206f6620696e6469
76696475616c732068617665206265656e206861726d656420616e
64207468697320697320616e206f70706f7274756e69747920746f
206d616b6520676f6f64206f6e2079657374657264617927732065
76656e74732e0a0a4265616e7374616c6b204661726d73

The message decodes as:

In the wake of yesterday's attack, Beanstalk Farms 
makes the following offer to the Exploiter:

If you will return 90% of the withdrawn funds to 
the Beanstalk deployment wallet 
0x21DE18B6A8f78eDe6D16C50A167f6B222DC08DF7, 
Beanstalk will treat the remaining 10% as a Whitehat 
bounty properly payable to you.

Thousands of individuals have been harmed and this 
is an opportunity to make good on yesterday's events.

Beanstalk Farms

Desperate times, it seems, call for desperate measures.

For all we know, the Exploiter might decide that it’s worth going for 10% of the “takings” paid in cryptocurrency wallets that the community may subsequently accept as lawfully obtained…

…or they might just decide to keep the lot, thus avoiding an apparent admission that the original heist was an “improper” payment” until it was retrospectively legitimised as a bug bounty.

Where do you stand on this heist and its response?

Was this a crime or simply a smart-but-legal trick?

Are retrospective bug bounties an acceptable last-ditch recovery tactic, or a copout?

Let us know in the comments below…