Hacker steals $182 million from Beanstalk Farms after voting to send themself crypto

The company is now offering to let the attacker keep 10 percent if the rest is returned.
The company is now offering to let the attacker keep 10 percent if the rest is returned. Photo credit: Getty Images

Yet another cryptocurrency hack has allowed an attacker to steal around US$182 million (NZ$270 million) in digital tokens from a decentralised finance (DeFi) project.

Beanstalk Farms was robbed after the the voting system that governs many DeFi organisations was exploited, essentially allowing the hacker to vote to send themself the money.

Participants in Beanstalk Farms get rewards and have the ability to vote based on owning 'beans', what the company calls their tokens.

According to reports, a 'flash loan' from another company called Aave was used to allow the attacker to buy close to 67 percent of the voting stake of the project, worth somewhere in the region of US$1 billion.

"With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit," website The Verge said.

"Based on the duration of an Aave flash loan, the entire process took place in less than 13 seconds."

The company has since taken to social media offering the hacker the chance to keep 10 percent of what he stole if he returns the remaining 90 percent.

"In the wake of yesterday's attack, Beanstalk Farms makes the following offer to the Exploiter," it wrote on Twitter.

"If you will return 90 percent of the withdrawn funds to the Beanstalk Farms multi-sig wallet, Beanstalk will treat the remaining 10 percent as a Whitehat bounty properly payable to you."

On the project's official Discord channel, one of the developers of the project said "we are f**ked".

"Honestly not sure what to type. We are f**ked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming.

"There are no funds left. They minted enough Beans to sell them and drain the liquidity on all pools."

With the attacker using Tornado Cash, a cryptocurrency mixing service that has been used to launder stolen cryptocurrency in the past, it means investors may only get their funds back if the attacker has a change of heart.

The attacker also donated US$250,000 (NZ$370,000) to Ukraine's digital wallet, according to Vice, which allows people around the world to support the nation during the ongoing invasion by Russia. 

There have been a number of high-profile cryptocurrency heists lately, including one which nabbed $NZ886 million from play-to-earn game Axie Infinity.

Since that was announced at the end of March, the US government said the attack was perpetrated by hackers from the government of North Korea.