That’s where things stand for Beanstalk Farms, a decentralised finance platform whose entire collateral was siphoned off over the weekend. Despite having no remaining treasury funds and a token that since midnight Sunday has lost 92 per cent of its value, the project founders remain upbeat, because they have a plan.
Their plan is for “some sort of fundraise”.
Beanstalk is a minor player in the stablecoin universe whose novelty is that it doesn’t promise one-for-one collateral. Rather than claim to have each coin backed by hard financial assets, it applies an algorithm that seeks to maintain a dollar peg by minting a Bean coin when the price rises above $1 and hikes up interest rates on convertible debt tokens when it’s below. There’s an extended metaphor involving soil, seasons, harvests, weather etc that makes the peg mechanism sound something like Farmville:
Beans holders also qualify for an equity token, Stalk, that gives a vote on changes to the Beanstalk protocol. On Saturday, a Stalk holder lodged a Mickey Finn smart contract that would donate to Ukraine’s war effort. The person then bought more than two-thirds of the governance tokens using a $1bn flash loan, thereby gaining the supermajority needed to vote through a change to Beanstalk’s protocol, before transferring $250k of Beanstalk’s treasury to Ukraine and the rest into a private wallet.
As many commentators have pointed out, it wasn’t really a hack. Even calling it a theft is debatable. Everything worked as designed; it’s just that the design was really, really bad. No defined regulation of ownership or voting control meant there was nothing to stop the attacker from extracting about $76mn in Ether along with Beans then nominally valued at about $100mn, but whose current value is almost nothing ($0.08 on CoinGecko at pixel time). The job took less than 13 seconds to execute.
In a podcast on Beanstalk’s Spotify page immediately after the raid, the host doxxed himself as Benjamin Weintraub and identified the other co-founders as Brendan Sanderson and Michael Montoya. He said they had “no involvement with, and no prior knowledge of, the attack.”
Had flash-loan vulnerability been considered beforehand? Yes, though perhaps not in the right way. In a Beanstalk Octomob webstream of April 12, a user asked about flash loan attacks in relation to pricing integrity. The panel was confident that because a flash loan requires borrowed money to be returned in the same transaction, any window for price manipulation would be too narrow. Governance code strength wasn’t mentioned.
So anyway, in a follow-up podcast on Tuesday the speaker (who sounds like Weintraub again, though he doesn’t identify himself) spoke at length about how the team remains confident of rebooting the project by using a fundraising mechanism that “is to some extent, tried and true”:
Some details need to be worked out. How to attract new cash for a lending platform with zero liquidity, a mob of legacy junk token holders and a bit of a brand reputation problem “is very much unclear at the moment,” said the speaker. “And so the specific structure of how Beanstalk should actually raise this capital is still up in the air.”
Nevertheless, the proposal they’ve come up with is sort of a debt-for-equity swap involving the issue of a new token. The podcast host outlines, in jargon-heavy terms, a one-time token issuance using the established mechanic on reset pricing. A third of new Beans minted through that new channel would go to into a reparations fund, with legacy holders asked to take a haircut based on the amount raised. Exit penalties would present a hurdle to anyone intent on taking the first opportunity to run off with the money — at least in theory.
“This is not the worst place to be in, guys,” the podcast host says. “It’s a lot better that this happened when it did as opposed to four weeks from now, when the protocol had attracted another billion dollars of capital. And it’s a whole lot harder to fill a billion dollar gap than it is to fill a $76mn gap. So that is a silver lining.”
