Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

DeFi Project Beanstalk Loses $182 Million in Flash Loan Attack (bloomberg.com) 67

Decentralized finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday, sending its price tumbling. From a report: The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around $182 million and the attacker got away with around $80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter. The project's native token BEAN fell about 75% from its $1 peg against the dollar, pricing from CoinGecko showed. The protocol's creators disclosed their identities on Beanstalk's Discord server, and said that they were not involved in the attack. "We are not aware of the identity of the individuals who were involved. Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial," the founders wrote. It isn't yet clear whether investors who lost funds will be reimbursed -- or if so, how and to what extent. Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security. Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.
This discussion has been archived. No new comments can be posted.

DeFi Project Beanstalk Loses $182 Million in Flash Loan Attack

Comments Filter:
  • Not shocking (Score:4, Interesting)

    by Bill, Shooter of Bul ( 629286 ) on Monday April 18, 2022 @09:43AM (#62456520) Journal

    A single flaw will allow all funds to be taken. Everyone knows doing this without error is nigh impossible.

  • It's like modern banking systems aren't so stupid after all.

    Crypto seems hell bent on re-learning why banks operate the way they do, with the exception of their security systems.

    • It's a shame that in learning some of these lessons, they are going to inevitably destroy some people's lives in the process.
      • by smooth wombat ( 796938 ) on Monday April 18, 2022 @12:09PM (#62456922) Journal
        It's a shame that in learning some of these lessons, they are going to inevitably destroy some people's lives in the process.

        Sorry, not sorry. At this point the people putting their life's savings into crypto have been warned countless times about its pitfalls. They have chosen to ignore those warnings and must now suffer the consequences.

        This is no different than covid, people who drive drunk or use drugs. Everyone's been warned, but there will always be those who know more than the experts. This is a good time to use the phrase, "If he dies, he dies."
        • by rgmoore ( 133276 )

          I understand the sentiment, but I can't 100% agree. It's hard to feel sorry for sophisticated investors who ought to know better, but not everyone getting into crypto is a sophisticated investor. To the contrary, crypto has now reached the stage where it's trying to bring in people who genuinely don't know better. I know a 15-year-old whose father almost convinced him to put his money into crypto until his mother's side of the family stepped in and convinced him it was a bad idea. That's a somewhat extr

          • Whoever that father is shouldn't have had children because he's an irresponsible asshole.

            • by rgmoore ( 133276 )

              I won't disagree with you on that father being an irresponsible asshole; that seems to be the consensus opinion. But we can't legally forbid irresponsible assholes from reproducing, so we still need to protect their children from financial abuse.

          • Seems like the solution you're suggesting here is regulation and liability (and probably insurance to deal with the liability). Sure, it'll discourage a certain amount of innovation, but maybe we don't need those kinds of half-baked financial products carrying around millions of dollars of assets.

        • by jythie ( 914043 )
          Eh, but like COVID, drunk driving, or drug abuse, effects are rarely confined to the people making the poor decisions. Billions of dollars flowing to scammers has to be coming from somewhere and is not being use for better things.
    • Comment removed based on user account deletion
    • by orlanz ( 882574 )

      At the same time, I don't want to give too much credit to Banks. Banks are stupid. They learned all these lessons the hard way over a century and continue to do so. They had to be bailed out many times before they got to an acceptable level of risk. And every time we look away, they do the same mistakes again.

      These new comers live in a theoretically ideal world with flowers and ponies. Then they are surprised when they touch the real world and get stung.

      • by Pascoea ( 968200 )

        Banks are stupid. ... They had to be bailed out many times...

        That would imply that banks aren't stupid, but very shrewd. We're the stupid ones for continuing to bail them out.

      • by rgmoore ( 133276 )

        It's not that banks are stupid so much as that they're selfish and short sighted*. They tend to do things that look like they'll make big profits in the short term, even if they cause problems in the long term, or if they're the kind of thing that works if one bank does it but not if they all do. That kind of behavior is exactly why they need a ton of regulation.

        *The biggest difference is that selfish and short sighted institutions can be very clever in trying to avoid the regulations put in place to li

        • by jythie ( 914043 )
          To go a step father.. they are neither stupid, nor simply selfish/short sighted. They do what they need to survive.. or put another way, the market rewards the risky behavior and punishes the careful, so banks that DO behave well also tend to go out of business or at minimal shrink and thus have a smaller influence on the market. In many ways, economics is an engineering problem.. all the parts behave according to the rules of the system, and you only really find problems after they happen and thus need t
      • At the same time, I don't want to give too much credit to Banks. Banks are stupid.

        Banks are not stupid. They are greedy and corrupt. They know exactly what they are doing, (e.g. taking big risks on highly questionable investments.)

        And because they know that there are no significant consequences, it encourages them to be even more greedy and take even more risks.

    • by klubar ( 591384 )

      Why don't we read about these kind of loses from modern banks? .... Oh wait:

      https://www.npr.org/transcript... [npr.org].

      https://www.bloomberg.com/opin... [bloomberg.com]

      I guess part of the difference is that these were internal screw-up rather than hacks, and mostly the investors did not lose money.

    • Re: (Score:3, Insightful)

      by rgmoore ( 133276 )

      Exactly. Crypto is an attempt to recreate the financial system without regulation, but it turns out most of the regulation is there for a good reason. So crypto is great for scammers who want to take advantage of the lack of regulation to cheat people, but it's terrible for everyone else.

    • Crypto seems hell bent on re-learning why banks operate the way they do

      No you don't understand. We don't want evil government meddling. They can take their overbearing regulation requiring insurance coverage, and their consumer protection laws and shove them where the sun don't shine. We are happy knowing the free market is in control of our money!

      Sincerely
      A Crypto Bro's last remaining braincell.

    • Let's be honest, has "crypto" accomplished any of the supposed goals it set out to accomplish? It's certainly proving to not be anonymous, suffers from all of the same issues as traditional cash/banking, only in a far more inconvenient form.

    • > Crypto seems hell bent on re-learning why banks operate the way they do, with the exception of their security systems.

      Right. Nobody in the entire crypto space is investing in software provability or oversight. The most amateur projects are representative of the totality. DO NOT invest or get involved.

  • by DarkOx ( 621550 ) on Monday April 18, 2022 @09:57AM (#62456566) Journal

    Smart contracts are kinda of a dumb idea. If people were really comfortable they could enumerate all the rules and agree on their interpretation we would not have barristers, courts, to figure out how to execute regular contracts. Stock exchanges would not have halts and rollbacks etc.

    The reality is like a lot of law there is an 'intent' element to these things, and geeks just refuse to accept 'correct' execution isnt a matter of just ridged application of a rule set. Someone is going to find away to game these systems no matter how much fancy crypto gimmicks people invent.

    • by ljw1004 ( 764174 )

      Smart contracts are kinda of a dumb idea. If people were really comfortable they could enumerate all the rules and agree on their interpretation we would not have barristers, courts, to figure out how to execute regular contracts. Stock exchanges would not have halts and rollbacks etc. The reality is like a lot of law there is an 'intent' element to these things, and geeks just refuse to accept 'correct' execution isn't a matter of just ridged application of a rule set. Someone is going to find away to game these systems no matter how much fancy crypto gimmicks people invent.

      That's certainly true of a lot of parts of the law... Criminal law talks often about intent. Contract law talks often about a meeting of minds.

      I'm not a lawyer. My impression is that there are smallish other areas of law which are just about rigid application of rule sets. The first example that comes to my mind is Customs & Excise limits on duty free allowances. (One of my undergraduate exam questions in 1992 gave a paragraph of those rules and asked candidates to turn them into prolog). Ethereum is sa

      • Whether a system is used for laws and contracts, file management or drawing pixels on a screen, proving the correctness of any complex software system is very challenging.

        We know from decades of research on the topic, and from experience (a new crypto or defi exploit just about every week) that the chance of having flaws in these complex systems is approaching 100%.
      • by AmiMoJo ( 196126 )

        Contracts in law are rarely interpreted purely based on their content. For example, a contract that violates worker's rights will be partially invalidated by a court. With blockchain based contracts there is no court and no law to govern them, it's just the code in the contract.

    • That's because smart contracts aren't contracts at all. Ethereum's creator has already stated that he quite regrets [twitter.com] having adopted the term:

      To be clear, at this point I quite regret adopting the term "smart contracts". I should have called them something more boring and technical, perhaps something like "persistent scripts".

  • Know your customer (Score:5, Insightful)

    by Arethan ( 223197 ) on Monday April 18, 2022 @09:57AM (#62456568) Journal

    Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security.

    Anonymous lending without any form of collateral. What could possibly go wrong? /s

    • Comment removed based on user account deletion
    • by ljw1004 ( 764174 )

      Anonymous lending without any form of collateral. What could possibly go wrong? /s

      Did you read the article? A flash loan is where you make the loan AND PAY IT BACK in a single transaction. I don't understand how you think collateral would help?

  • by Thelasko ( 1196535 ) on Monday April 18, 2022 @10:05AM (#62456578) Journal
    How did this work? Someone took out loans and didn't pay them back?
    • How did this work? Someone took out loans and didn't pay them back?

      Same question here, especially since the summary had this:

      Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain

      So I guess it's not really one transaction since they were able to take but not pay back?

      • And what's the point of a loan if you need to repay it in the same instant that you borrowed?

        • And what's the point of a loan if you need to repay it in the same instant that you borrowed?

          Yes, another great question, I was wondering how you arbitrage anything with that.

        • I think the idea is that you write a smart contract that takes out the money and chains it with another transaction to return the money (with interest?) after a short delay. The return payment is authorized / locked-in at the time of the loan, so it should be 100% reliable. But the hackers found a way to trick the system, getting the loan issued without a valid return transaction or somehow canceling the return transaction. They did this by exploiting some flaw in the software. And flash loans are a popular

        • I've had actual real estate financing contracts act like this before. In that case, we, an entity in the middle, took a fraction of a percentage cut to act similarly to escrow, but if something happened to the transaction later on down the line, we could be held legally liable because we're the immediate transactor of record.

      • Re:In English Please (Score:4, Interesting)

        by DarkOx ( 621550 ) on Monday April 18, 2022 @11:04AM (#62456742) Journal

        Unfortunately; the TFA contains basically no more info (why Bloomberg thinks people should pay for such empty reporting is beyond me but I digress).

        My assumption is its a clearing/lapping scheme of some kind. Its to expensive/slow to put every transaction into the block chain so they are batched. One person generates a massive number of new credit lines before any of it hits the ledger. Kinda like driving all over town writing/cashing checks against the same account before anyone them clear and they determine the account is over drawn.

        What I don't understand is why the flash loans 'would be popular for arbitrage' unless its to facilitate short sales maybe? Eq you want to sell Ether right now but you have not go it, so you flash loan to get what you need an execute the sale in the same block before new pricing information emerges and the opportunity is lost?

        I am speculating here a lot, admittedly.

        • Thanks for at least that much, like you I tried to follow the link for more answers but got nothing. Your guess is better than anything I could come up with, seems reasonable.

  • crypto needs bank like regulation big time!

    • There is no such thing as "crypto", at least there is not any meaningful distinction. We should probably outlaw ad hoc financial institutions, actually I'm pretty sure most already are outlawed and we should start enforcing the laws on the books.

  • by xwin ( 848234 ) on Monday April 18, 2022 @10:16AM (#62456610)
    If regular banks would suffer such losses on a weekly basis, there would be a run on the banks. No one would keep their money in the bank. Yet more people pile in to cryptocurrency exchanges in hopes of striking it rich. Human stupidity never ceases to amaze.
    • No, you're being a bit alarmist. $182M in losses happens; banks handle it via insurance primarily.

      For perspective, in 2018 an estimated $600B in damages was due to cybercrime; approximately 1% of global GDP https://www.csis.org/analysis/economic-impact-cybercrime#

      Last year, the amount of crypto stolen was around $10B.

      I'm not a fan of crypto, but while it's growing in prominence in cyber crime, 1) it's linked to a few traders and is mostly walled off from the rest of the economy, and 2) it's stil

      • No, you're being a bit alarmist. $182M in losses happens; banks handle it via insurance primarily.

        No that's not being alarmist at all. As you said it yourself banks are insured so the banks don't actually lose the money, insurance companies and central banks (sometimes) do.

        On the flip side every one of these losses on a crypto exchange directly impacts the people who have their money in it. It is the customer's money that is actually gone. But hey they are the ones that want to be free from government meddling such as the requirement to actually have insurance and financial protection laws that prevent

    • And also a large number of desperate people not enough money to retire who think they found a big score. But let's not forget that a lot of the money here is coming from money laundering conducted by the ultra wealthy and nation states. When you're laundering money you expect to lose some of it.

      Also I mentioned this on another post but I'm not 100% sure there's any real loss here. These so-called stable coins often aren't really backed by the amount of currency they say they're backed by.

      I do hate t
    • https://web3isgoinggreat.com/ [web3isgoinggreat.com] recently added a "grift counter", which keeps track of how much USD were lost in different "hacks", scams and rugpulls.

      It's up to $1.64bn... since Jan 1st, 2022.

  • by rsilvergun ( 571051 ) on Monday April 18, 2022 @10:48AM (#62456694)
    Most of these "stablecoins" don't seem to really be backed by USD. I know Tether got caught with a very, very low number of real dollars backing their coin and paid an SEC fine for it (amazingly the market didn't freak out when this was revealed, then again it has more or less been proven mathematically that they couldn't mint as many coins as they claimed with the amount of money they had...)

    I guess if they're mined, but again, most of these are "proof of stake".

    These feels extremely dodgy, It wouldn't surprise me if the whole thing was just money laundering and the fed was sniffing too close so they shut it down with a fake "theft". Then again it's also possible a whole bunch of money launderers just lost a ton of money.

    One thing I'm sure of, at least once a month there's a $100+ million dollar crypto heist.
    • Fucking. Lair. The *CFTC* fined Tether for not having appropriate reserves for YEARS BEFOREHAND, and it it wasn't even that they didn't have the reserves, but "[t]here is no finding that tether tokens were not fully backed at all times—simply that the reserves were not all in cash and all in a bank account titled in Tether’s name, at all times"

      How much do you get paid for do this constantly? Not a whole fucking lot I imagine, because your lies are weak and there are plenty of actual problems wi
      • Comment removed based on user account deletion
      • by DarkOx ( 621550 )

        it wasn't even that they didn't have the reserves, but "[t]here is no finding that tether tokens were not fully backed at all timesâ"simply that the reserves were not all in cash and all in a bank account titled in Tetherâ(TM)s name, at all times"

        So what you are saying is that they did not have the reserves...

        Reserves are normally cash or a very short list of specific securities considered to bash equivalents. Simple facts are they did not do what they said or at least implied they were doing at the time. Yes turned out they had other assets but other assets are not 'reserves'

  • another crypto-loss. Ho Hum.

  • Looks to me that both Beanstalk and Ethereum are working exactly as designed here.

  • This kind of theft and fraud happens all the time to FDIC insured banks and NCUA insured credit unions, right?

    DeFi is DeFunct. What a joke. Blow it all up now.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...