Episode Summary

In this week’s episode, we take a deep dive in the fascinating flash loan governance attack delivered on the Beanstalk Farms protocol Sunday. Then we dig into trending criticism on Axie Infinity’s play to earn model.

Intro

Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, scams, exploits, and anything that feeds our crypto curiosity.

Welcome degens! Come one, come all.

It’s been another epic week. We will go deep on the Beanstalk Farms attack and explore some growing criticism of Axie.

But first, let’s jump into our choice-picked weekly Degen headlines.

Degen Weekly

1. ETH Merge pushed back from targeted June to Q 3 2022 or later. Surprised?
2. ETH staking post merge will likely be lower than anticipated -Crypto Slate
3. Defi superstar Andre Cronje (CRON-YE) comes back after his 3rd rage quit and starts beating the crypto needs regulation drum - The Defiant
4. “Ethan Gach with Kotaku says” Crypto Gaming “Landlords” upset they can’t keep exploiting all the players. Diminishing returns of the play to earn game Axie infinity and showing that the long term model of some of the guilds is unsustainable long term. - Kotaku
5. New phishing attack that involves google ads… TradeDog on twitter says that over 4.31 MILLION has been exploited in this phishing attack - Tweet
6. Lazarus group, a North Korean based hacker group has claimed responsibility for the Ronin bridge attack. Last week we heard they might be responsible but this week it seems they are fully taking ownership of this insane hack - Cryptured
7. US House Democrats Call for Scrutiny on Crypto Mining as Environmental Threat

U.S. Rep. Jared Huffman (D-Calif.), who leads a subcommittee within the House of Representatives’ Natural Resources Committee, has recruited almost two dozen Democratic colleagues to urge federal environmental officials to devote further scrutiny to the consequences of cryptocurrency mining. - Coindesk

Degen Deep Dive

Beanstalk Farms Flash Loan Governance Attack

TLDR: On April 17th, 2022 an attacker used a barrage of flash loans to purchase a majority of BEAN tokens, the native governance token for Beanstalk Farms. Using this temporarily loaned voting power allowed them successfully pass an emergency governance proposal that drained the protocol of 76M in assets, sent 250K of the stolen money to the Ukraine War Fund, and sent the price of the stable BEAN tumbling.

Who:
victim: bean.money aka Beanstalk

Beanstalk is a decentralized and transparent solution to DeFi’s endemic stablecoin supply shortage. It was designed from first principles to be a paradigm-shifting DeFi primitive that makes decentralized, cost-efficient stablecoins available to anyone with an internet connection.Beanstalk was initially launched in August 2021 with just 100 Beans and has never taken traditional funding. Over the last eight months, Beanstalk organically grew to $100M in market cap, attracting $144M in long term-incentivized liquidity.

• Beanstalk: The Path Forward

From the whitepaper:

To date, flawed stablecoin implementations sacrifice the main benefits of decentralized computing by requiring trust in a centralized party and limit their potential market capitalization by imposing collateral requirements.A stablecoin that (1) does not compromise on decentralization, (2) does not require collateral, and (3) trends toward more liquidity and stability, will unlock the potential of
DeFi.We propose an Ethereum-native, credit based stablecoin protocol that issues an
ERC-20 Standard token that fulfills these requirements.An on-chain price oracle leverages an existing centralized bridge between the Ethereum blockchain and the rest of the world to create a decentralized, reliable and inexpensive source for the price of a nonEthereum-native value peg.A Decentralized Autonomous Organization (DAO) governed
by a yield generating, inflationary, ERC-20 Standard token simultaneously provides security, encourages consistent liquidity growth, and dampens price volatility.

Attacker:
Anon/unknown

What:
attack details:

1. Created two malicious governance proposals and submitted them to the governance contract and wait for 24hrs
2. AAVE FlashLoans sourced from Tornado Cash --> Synapse Protocol Bridge:
   350M DAI
   500M USDC
   150M USDT
3. Bought 32M BEAN on Uniswap V2
4. bought 11.6M LUSD?
5. These tokens were used to add liquidity to Curve pools with BEAN for the governance voting
6. Voted for and passed, BIP-18 & 19 (malicious proposals)
7. Pull back liquidity
8. Repay flash loans
9. Converted all received funds into 24,800 ETH ($76M)
10. ETH moved to TornadoCash
    – from BEANSTALK - REKT & PeckShield’s step by step

Presumably, to avoid suspicion of an inside job, Publius, the anon behind the protocol, took the decision to reveal their identity as a group of three in a statement published to Discord.

From ^^ rekt

How:
From Beanstalk whitepaper:

6.5 Governance

A robust decentralized governance mechanism must balance the principles of decentralization with resistance to attempted protocol changes, both malicious and ignorant, and the ability to quickly adapt to changing information.In practice, Beanstalk must balance ensuring sufficient time for all
ecosystem participants to consider a Beanstalk Improvement Proposal (BIP), join the Silo and cast their votes, with the ability to be quickly upgraded in cases of emergency.

6.5.2 Voting Period

A Voting Period opens when a BIP is submitted to the Ethereum blockchain and ends at the beginning of the 169th Season after it is submitted, or when it is committed with a supermajority

Doesn’t matter though, as it looks like a super majority of tokens was used to override the 169th season (~7 days).

5 Seasons

Thus, Beanstalk creates a cost-efficient protocol-native timekeeping mechanism
and ensures cost-efficient code execution on the Ethereum blockchain at regular intervals.

Confusing… How about this:

Seasons are the Beanstalk-native timekeeping mechanism. Each Season is ∼1 hour long.

What’s odd:

• Variations in reports about how muc...