182 million dollars within 13 seconds – these are the impressive key data of the recent heist carried out by hackers. The fledgling crypto bank Beanstalk was the victim of a sophisticated attack that exploited a hole in the system. Beanstalk has only been around for a few months, and the core of its business is the stablecoin bean, whose value is supposed to be kept at about the level of a US dollar. According to FAZ, a centralised fund forms the basis of the bean. Users pay cryptocurrencies into this fund as shares and thus give the bean credits, so to speak. This is exactly where the “thieves” come in.
Gap in the system
Why “thieves”? Because the hackers proceeded in such a sophisticated way that one cannot, strictly speaking, speak of a theft. But let’s take it one step at a time: The perpetrators gained access to the money in a rather unusual way. It is common practice for decentralised blockchains that the users decide on changes to the code that forms the technical basis. In Beanstalk, the weight of the individual user’s decision depends on how many beans one owns. So in order to gain more weight in a decision, you have to deposit more cryptos and thus bring more beans into your possession.
This is exactly where the hackers came in: they borrowed a billion US dollars in cryptocurrencies via lightning loans and used them to acquire beans. In this way, they obtained a two-thirds majority, which they used to transfer 182 million dollars to themselves. The FAZ calculates that the perpetrators will be left with a sum of around 80 million US dollars after repaying the loans – not a bad hourly wage, considering the 13 seconds that the coup is said to have taken, according to The Verge.
Beanstalk is not only 182 million poorer, but also in a quandary: legally, they have little recourse against the thieves, since the vulnerability they exploited is not a security hole. The operators simply lacked the foresight to foresee a short-term takeover, which means the stolen cryptos are probably lost and Beanstalk is left helpless.
The Beanstalk founders can only appeal to the perpetrators to return their loot. According to FAZ, Beanstalk is offering the hackers 10 per cent of the stolen assets as a kind of “finder’s fee” for exposing the vulnerability if they pay back the rest. If they don’t and prefer to keep 80 million instead of 8 million, what one of the founders said in a first reaction shortly after it became known applies to Beanstalk: “We are fucked.”