The Beanstalk protocol is a permissionless fiat stablecoin protocol issuing the $BEAN token, a stablecoin that is pegged to the USD and backed by credit instead of collateral. The goal of Beanstalk is to create a capital-efficient stablecoin, that is fully decentralized and still provides price stability. This would mean solving nothing less than the stablecoin trilemma.
In April 2022, the protocol was drained of $77M in non-Beanstalk-native assets by an attacker leading to the halt of the contract and a long path for the community to recreate trust and confidence in the market. In August, the protocol was successfully relaunched and up to now, was able to attract more than $30M in liquidity.
Let's explore together how the Beanstalk protocol works, how it was hacked, and evaluate the new version launched by the community as well as all the risks associated with it.
Source: Beanstalk Farms
How the Protocol Works
The documentation of Beanstalk uses a unique terminology themed after bean farming. To make this article easier to understand for readers unfamiliar with Beanstalk, we will not use the themed terminology and instead, try to explain by describing the concepts based on the common terminology used in defi.
$BEAN is the protocol native stablecoin that holds its peg based on the algorithmic control of its supply. This happens by either minting new Beans or through the issuance of a native, debt token (the so-called 'Pods') in exchange for Beans. The debt tokens are issued via Beanstalk's own credit facility (known as the Field). Thereby, the debt tokens are issued when $BEAN tokens are lent to the protocol by creditors.
The received $BEAN tokens are burned by the protocol to reduce the supply of $BEAN and thereby, can stabilize the peg if $BEAN is trading below a dollar. The debt tokens are issued with a fixed interest rate calculated by the protocol (known as the Temperature) and don’t have a maturity date. The interest rate fluctuates based on the current price of $BEAN, the debt level of the protocol, and the change in demand for the debt token. The quantity of debt tokens being issued is a function of the Bean price and the interest rate. Both, the amount of debt tokens and their interest rate is continuously adjusted every hour by the protocol.
Therefore, the protocol relies on a time interval of one hour to recalculate all its parameters. The debt tokens plus their interest can be fully redeemed for $BEAN tokens once the Bean supply has sufficiently increased. Currently, 1/3 of newly minted $BEAN tokens are used to repay debt tokens and interest. Another 1/3 goes to governance token holders (known as Stalkholders), and the last 1/3 is used as incentivization for liquidity providers in a $BEAN pool to recapitalize the exploited $77M after the protocols’ recent restart.
In other terms, if the price of $BEAN trades below $1, the protocol gives out new debt tokens based on the interest rate and burns $BEAN tokens to bring the supply down to restore the peg. If $BEAN trades above $1, the protocol mints new $BEAN tokens and repays the debt tokens including the accrued interest based on a first-in-first-out principle dependent on how many new $BEAN tokens are minted. Important to know is that the protocol uses a decentralized on-chain oracle based on the shortage or excess of $BEAN in the BEAN:3CRV pool from Curve. This is done to have a censorship-resistant oracle for Beanstalk’s stability mechanism.
Another additional mechanism to support the peg of $BEAN is the Convert functionality. This functionality allows the conversion of deposited $BEAN into deposited LP and vice versa, moving the price towards a peg without the issuance of debt tokens. Users who convert also do not lose any claim on accrued Stalk and Seed tokens (both are explained later in this blog post).
Historical data has shown that the introduction of this mechanism has further stabilized the value of $BEAN. Further, and under certain conditions, if there is high excessive demand for $BEAN driving the price fast above the peg, the protocol can sell $BEAN token directly on Curve for LP token. The proceeds will be distributed among the governance token holders.
How was the Protocol Hacked?
The Beanstalk protocol lost $182M to a flash loan attack on the 17th of April 2022 while an attacker was able to extract and gain around $77M in non-Bean assets. How could the hacker access the beanstalk protocol's $182M in funds?
Soon after the hack happened, it was identified that the attack vector for the exploit was in the governance mechanism of the protocol. The attacker identified that if they are able to collect enough voting power in the governance of the protocol, they could get access and full control over the protocol's funds. To achieve this, they utilized a flash loan. To better understand how a flash loan contributed to the success of the hack, we will first have a closer look into how flash loans actually work before we dig deeper into the governance mechanism of Beanstalk and how it was exploited.
What are Flash Loans?
Decentralized finance enables some unique use cases based on the characteristics of programmable finance via smart contracts. One of them is the use of flash loans. Flash loans have the characteristic of being loaned out AND repaid within the same transaction. If the borrower can't instantly repay the loan in the same transaction, the flash loan smart contract reverses the transaction without any change in the state of the chain. This makes it almost impossible to default on a flash loan.
Since flash loans are borrowed and repaid in the same transaction, they do not require any form of collateral from the borrower. This makes them the perfect tool for traders and arbitrageurs to utilize market inefficiencies across liquidity pools instantly.
Flash Loan Attacks
Although flash loans have almost no default risk, a flash loan smart contract can still be tricked by attackers. Sometimes, hackers can identify vulnerabilities in a flash loan's smart contract and trick it into believing that the loan has been repaid when it’s not. Further, flash loan attacks are used to manipulate the prices of trading pairs to create arbitrage opportunities artificially. Therefore, a strong imbalance in a pool is created with the borrowed assets. This works best if the price oracle used for the trading pair is based on the data on only a single DEX. To prevent this, oracle providers such as chainlink aggregate prices based on multiple exchanges.
Protocols, whose governance relies on on-chain voting which can directly trigger protocol upgrades without any additional security mechanism can be exploited by flash loan attacks if the attacker is able to acquire the number of governance tokens required to reach a super majority and thus, can control the protocol.
How Beanstalk Incentivizes Governance
The third token we haven’t introduced yet is Stalk, the governance token of the Beanstalk protocol. Users of the protocol accumulate Stalk in a 1:1 ratio by depositing $BEAN. Stalk grants you voting power on BIPs in the governance of the protocol. Further, it is used to accumulate $BEAN rewards by the system. As we have learned earlier, 1/3 of the newly minted $BEAN tokens are paid out to the Stalkholders. Stalk is currently not tradeable and is burned if the deposited $BEAN amount is withdrawn from the governance contract.
Since the protocol gives 1/3 of newly minted $BEAN to the Stalk holders, the system incentives $BEAN depositors to stay in the event of a bank run through Seeds. Seeds grow 1/10,000 Stalk every hour which means that there is an opportunity cost to leaving the Silo since every withdrawn $BEAN forfeits all grown Stalk.
Seeds are also an incentive mechanism that may be changed by governance. The community can for instance change the Seed rewards for the $BEAN or the LP token pool of Beanstalk to move liquidity where it's needed and thereby increase the stability of the Bean price.
$BEAN like all other major stablecoins highly depends on the liquidity in the pools of the stable swap AMM Curve, although the Beanstalk DAO is developing a Beanstalk-native zero fee AMM. The low slippage trading of the different stablecoins leads to efficient arbitrage trading. $BEAN is traded in the BEAN:3CRV pool against USDC, USDT, and DAI. The stability of the other assets in the pool such as USDT or USDC contributes to the peg stability of $BEAN. To incentivize liquidity provision without disadvantages, the protocol accepts Bean:3CRV pool LP tokens as deposits with the same rights as $BEAN. This also contributes to peg stability in a unique way. The convert function in the contract allows the direct exchange between $BEAN and the LP token without any loss of Stalk. Thus, the protocol can drive the price of $BEAN back to its peg by balancing the BEAN:3CRV pool.
The Hack
Now, we understand how flash loans work and how they can be used to attack the governance mechanisms of defi protocols such as Beanstalk. In Beanstalk, anyone with a 2/3rd share of the governance votes was able to propose and accept any improvement proposal with a time delay of only 24 hours. By having the supermajority in the voting power, the usual 7-day execution delay was skipped via the emergencyCommit() function in the governance contract. Thus, the attacker was able to drain the funds out of the contract.
Overall, the attack was well-planned & executed. To prepare the exploit, the attacker enabled his eligibility to participate in the governance by depositing over 200k in $BEAN into the silo and proposing two different simple Beanstalk Improvement Proposals. BIP 18 was left blank but contained a malicious payload (contract address) which was not verified at first. BIP 19 proposed a donation to support Ukraine containing the same contract address as the receiver address for the donation. A day later, the attacker deployed the contract that executed the final step of the attack, which used a flash loan to deposit assets into the BEAN:3CRV and receive LP tokens which are whitelisted in the governance contract of the Silo to receive Stalk, Beanstalk governance token. The attacker obtained more than 2/3 of the voting power and accepted the proposed receiver address to drain the funds of the protocol. After repaying the obtained flash loan, the attacker ended up with over $76m of ETH in profit and immediately moved them to Tornado Cash to anonymize the funds.
The team reacted by pausing the protocol and taking enough time to analyze what happened properly. Interestingly, large parts of the community signaled interest in rebuilding and reviving the protocol.
The Replant of Beanstalk
This summer, the Beanstalk protocol went live again. How did the community manage to relaunch the protocol successfully?
After the protocol was stopped and the exploit and its implications were fully understood, the community proposed the ‘Barn Raise’, an on-chain fundraising mechanism that translates to a $77m USDC loan borrowed by the protocol from lenders receiving interest. Interest and principal of the loan are repaid by 1/3 of future $BEAN mints. To prevent further governance attacks, the community has introduced a Gnosis Safe multi-sig consisting of core contributors and community members. Further, the protocol received audits by Halborn and Trail of Bits as well as opened a bug bounty program via Immunefi to minimize the possibility of bugs and attack vectors in the protocol. On the 6th of August 2022, the protocol was finally relaunched exactly one year after it was deployed in 2021.
What are the Risks Associated With the Protocol?
The Beanstalk protocol combines different unique features which still have to be proven secure over time. This is also transparently communicated by the DAO. The community has prepared a list of disclosures on the risks associated with Beanstalk. Beanstalk, although aiming to become the leading stablecoin in the Ethereum ecosystem, is described as an experiment testing the scalability of an on-chain stablecoin protocol. We have summarized the most important risk and put them into context in the following:
1. 5-of-9 multi-sig governance based on anonymous community members.
After an attacker was able to exploit the on-chain governance mechanism via a flash loan attack, the community first decided to halt and remove the on-chain governance. It was then relaunched based on a 5-of-9 multi-sig custody ownership of the contract. The multi-sig participants are required to execute the results of community votes via Snapshot. For now, the holders of the keys in the multi-sig are anonymous community members. Although this is communicated as an additional security buffer by the community, it constitutes an additional risk for new users since they have no possibility to assess the legitimacy of the multi-sig holders.
2. There exists no maximum $BEAN supply.
In addition to the elastic $BEAN supply based on its price stability mechanism, the community has the option to mint an arbitrary number of new $BEAN at any time based on the governance executed through the multi-sig. Regularly, the supply of $BEAN is based on its demand and the willingness of creditors to take the counterparty for a specific interest rate.
3. The peg of $BEAN relies on the protocol's ability to always attract enough creditors.
This comes down to the core mechanism of Beanstalk. The protocol’s algorithm mints and burns $BEAN based on credit. If $BEAN loses its peg, the protocol needs to attract enough creditors to be able to burn $BEAN and decrease the outstanding supply. This mechanism heavily relies on the trust of the creditors that there will be enough $BEAN demand in the future to repay the debt of the protocol.
4. There is no enforceable claim as a creditor since the debt tokens have no maturity and thus, the redeemability of $BEAN is not guaranteed.
Thus, the creditors in the Beanstalk system bear the full risk of holding fixed-income debt tokens. The interest rate paid is compensation for the risks of the credit system. Creditors can't properly assess the timeframe of getting the loan repaid by the protocol.
5. Community could enforce changes to the protocol which are economically unfavorable for $BEAN holders or creditors.
This is a practical risk that is part of any defi protocol that is governed in a decentralized fashion. The vote of the majority within the community is not guaranteed to represent maximized profit/value creation for any stakeholder in the protocol.
6. The anonymous multi-sig holders can’t be forced to follow the votes of the DAO.
This means that instead of direct enforceable on-chain governance as with the initial but exploited governance mechanism of the protocol, there is no possibility to enforce the multi-sig holders always to follow the vote of the community. Since the multi-sig holders are anon, this will always constitute a high risk for the stakeholders.
7. Gov token is not capped, and someone could acquire an arbitrarily high amount to take over control of the governance. However, the multi-sig holders could intervene.
There is no limit to how many stalk tokens a stakeholder can accumulate. The only constraint is the economic power of the acquirer. The multi-sig of the community however could always intervene in harmful governance takeovers.
8. Currently, $BEANs liquidity fully relies on the BEAN:3CRV Pool, and hence, its security is dependent on Curve.
The current stability of the $BEAN peg heavily relies on the attractiveness of the BEAN:3CRV pool to attract liquidity. As long as traders can balance even small deviations from the peg through high-volume arbitrage against the stability of USDC, USDT, and DAI, the trust in $BEAN remains. The protocol even incentivizes holding LP positions or converting $BEAN into LP tokens if required to maintain the peg. Currently, an economic or technical failure of the BEAN:3CRV Pool could heavily hurt the stability of $BEAN.
9. The frontend is closed-sourced and could be censored.
The frontend in app.bean.money is closed-source and thus, could be either censored or even tempered by the hosts. Open-sourcing the frontend or providing another open-source frontend would reduce this risk for users interacting with the Beanstalk protocol.
Conclusion
The Beanstalk protocol combines many different characteristics to strive for the goal of creating a stable, decentralized, and capital-efficient stablecoin. Although based on an algorithm, $BEAN's design differs a lot from other algorithmic stablecoins such as USTC. Instead of relying on a tradable governance token used for speculation and as a risk absorber, Beanstalk aligns the value creation and utility in the $BEAN token. The risks are held by the creditors of the system, and the Beanstalk DAO is transparently communicating this in its disclosures.
The team and community have proven resilience and long-term orientation with the Replant of the protocol after the hack. Critical attack vectors in the governance system have been eliminated, and top-tier audits have been conducted. We will closely follow the further development of the protocol and its unique approach to address the growing stablecoin demand.
