On April 17, decentralized finance (DeFi) project Beanstalk Farms was mined for $182 million after an attacker staged a lightning-fast hostile takeover, buying a majority stake of tokens and voting immediately to send themselves all the funds.
The incident sparked a discussion of “governance attacks,” a way to manipulate blockchain projects that use decentralized governance structures by gaining enough voting rights to reform the rules.
In the aftermath of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this type of attack, but dismissed community members’ concerns.
The Beanstalk exploit was made possible by another DeFi mechanism known as “flash lending,” which allows users to borrow large amounts of cryptocurrency for very short periods of time. In the case of the recent hack, the attacker borrowed close to $1 billion in cryptocurrency assets. through a service called Aavehe exchanged them for a 67 percent stake in the Beanstalk project, voted through his own proposal to withdraw all of the treasure, and repaid the borrowed funds, all in less than 13 seconds.
Although the attack surprised Beanstalk users, some of whom claimed to have lost six-figure sums of money: the threat of a government attack was raised on Beanstalk’s Discord server months before Y in at least one public AMA session held by Publius, the development team behind the project.
On Feb. 12, in a discussion room focused on a proposal to accept more types of cryptocurrency tokens in the “Silo” (Beanstalk’s central fund pool), a user with the screen name Mr. Mochi wrote:
Due to attacks on governance, bribery and voter manipulation, governance does not always work as it should. Is this a risk that we are willing to take or will there also be an emergency DAO (such as Curve) that can block possible attacks?
They later added:
There are absolutely ways to mitigate some of this concern in an elegant way… As far as I can tell, the current rule set doesn’t account for flash loan government attacks or rugpull tokens.
In response to the comment, a Publius admin account wrote that such tampering “wasn’t a concern in any way until Stalk [governance token] it is liquid.”
A concern about flash loans was also raised at an AMA-style session organized by Publius on April 12, the video of which is available on YouTube. Around 6 minutes into the video, a participant asks via chat, “Can the team get into…why is the protocol not susceptible to flash loan attacks?”
In response, a Publius member discusses protections against price gouging through flash loans, but does not address the possibility of government attacks powered by flash loans.
With Beanstalk’s assets completely depleted by the attack, the project has launched a 10-day fundraiser to try to replace lost funds. Without the benefit of venture capital funding, the company lacks the kind of deep pockets that have helped other hacked protocols. back even bigger losses. But with the fate of the company at stake, the success of the fundraiser will largely depend on the community’s trust in the founding team not to make similar mistakes again.
Reached out via Discord, Publius had not responded to a request for comment at the time of publication.