The Beanstalk Gets (Hi)Jacked

A lesson in why governance needs a slower pace

The Beanstalk Gets (Hi)Jacked

How would you like to get paid $22 billion an hour?

Somebody did it, and using the governance structure of a decentralized finance (DeFi) project called Beanstalk Farms. The goal of the project is aimed at balancing the supply and demand of different cryptocurrency assets. Participants in the market vote on changes to the code that define the operation of that market, and get proportional votes based on how many of Beanstalk’s tokens they have. This is the vaunted DAO, or decentralized autonomous organization.

So, here we have blockchain, crypto, a DAO, and DeFi — all the buzzwords that define much of Web3 and are promoted as describing the future of a safe, decentralized, democratized, and nationless utopia.

What could go wrong?

First, let’s put Beanstalk Farms in the past tense, as it is now defunct. How did this happen? By someone following the rules of the DAO to the letter, but with an unanticipated motivation.

As Walt Hickey writes in his excellent “Numlock News” newsletter:

There’s this other thing in crypto called a flash loan where you can borrow a bunch of money for a very brief period of time, which is mostly used by people arbitraging the markets. An attacker took out a flash loan for $1 billion in cryptocurrency, immediately used that to purchase a 67 percent supermajority voting stake in Beanstalk, used their supermajority to approve an asset transfer worth $182 million out of the central coffers of the project to their own wallet, and then cashed out their voting stake and paid back the loan. The entire process took approximately 13 seconds. They cleared about $80 million net profit, which by my calculations translates to an hourly wage of about $22 billion an hour.

“Flash loan attacks” are becoming increasingly common across Web3 sites, as people learn to exploit crypto rules with them, walking away with millions in minutes, and all within the rules of the systems and their DAOs.

Is that an attack? Or just an exploitation of techno-utopian naïveté?

Beyond DAOs, this points to a flaw in technological governance approaches, which runs from social media to Web3 — they posit that speed is an advantage, yet clearly it is not when it comes to quality, safety, and reliability. Pausing, checking, verifying, validating, and scrutinizing may take time, but it improves things, prevents an unknown level of exploitation, and deters malefactors.

Web3 looks like a looming disaster. Web 2.0 hasn’t been all that great for people, democracies, or our sanity, either.

Are we clear what we’re doing with our tech toys? Or are we not to be trusted with these magic beans any longer?