More than $180 million worth of reserves were added to Beanstalk cryptocurrency in seconds.
The lightning-fast hostile takeover raises new questions about the unregulated nature of digital currencies and the lack of investor protection.
Describing itself as a “decentralized credit-based stablecoin protocol,” Beanstalk offers a cryptocurrency called Beans that is said to have a stable value of $1 per coin. It effectively acted as a bank, letting savers (“bean growers”) make deposits (from “beans” to a “field”) and use their savings to ensure that the value of a single bean stayed as close to $1 as possible.
Others have been encouraged to “silo” cryptocurrencies like ether to build up the stablecoin’s reserves in exchange for voting rights over the organization’s operations. On Sunday night, one such vote resulted in Beanstalk’s entire silo being transferred out of the organization at market prices, valued at approximately $182 million.
An unidentified attacker had borrowed $80 million in cryptocurrency and deposited it in the project’s silo, in exchange for enough voting rights to immediately accept any proposal. With that power, they voted to transfer the contents of the treasury to themselves, then relinquished the voting rights, withdrew their money, and repaid the loan—all in a matter of seconds.
“It’s very similar to a hostile corporate heist funded by junk bonds — except it was over in 10 seconds,” said David Gerard, the author of Attack of the 50 Foot Blockchain. “In regulated markets we have laws and regulations on how you can take over a business and run it dry, but it’s not clear that this action was illegal. Even the project acknowledges that the attacker acted under Beanstalk rules.”
Cryptocurrency expert Stephen Diehl said the attack is in a gray area. “It’s possible that someone will basically buy out all the shares in the organization. In the normal corporate world this would be illegal because it is embezzlement and self-dealing. However, with a DAO [decentralised autonomous organisation], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. Technically it’s ‘legal’ in a way, but it’s a very gray area.”
“Honestly, I’m not sure what to type,” the project’s co-founders said in a Discord message on Sunday announcing the losses. “We’re screwed. This project had no venture capital backing, so it is highly unlikely that any kind of bailout is coming.”
However, they denied the claim that the attack was technically legal because it exploited governance procedures. “As soon as we learned of the attack this morning, we contacted the FBI and notified the FBI’s Cybercrime Center of the attack,” they wrote. “We intend to work fully with the FBI to track down the perpetrators and hopefully recover anything that was stolen.”
Immediately after the attack, the value of the beans “broke the pole” and traded for well below the $1 per token that was supposed to be the stable value. On Monday, however, the stablecoin’s value hadn’t hit zero, hovering around $0.12, as some traders voluntarily bought beans, betting that a bailout would arrive to rebuild the project’s treasury and restore ties.