Episode 237: Jacked on the Beanstalk – DeFi’s Security Debt Runs Wide, Deep

This weekend, the decentralized finance platform Beanstalk Farms acknowledged that it was the latest victim of a sophisticated cyber attack, with an estimated $182 million stolen in an attack that exploited Beanstalk’s majority vote governance system to approve an illicit transfer of crypto currency assets.

According to reporting by the Verge and other outlets, Beanstalk – which describes itself as a “decentralized credit based stablecoin protocol”- was robbed via a sophisticated attack that saw malicious actors exploit Beanstalk’s governance mechanism by which participants can vote collectively on changes to the code, with votes proportional to the value of tokens that they hold.

What SolarWinds Tells Us About Securing the Software Development Supply Chain

Jennifer Fernick is the Senior Vice President & Global Head of Research NCC Group.

According to monitoring firms, the attack saw hackers use a “flash loan” to borrow close to $1 billion in cryptocurrency assets, which they used to buy a supermajority voting stake in Beanstalk Farms. That voting power was then used to execute code that transferred an estimated $182 million in Beanstalk cryptocurrency assets to their own wallet. The attacker then instantly repaid their flash loan, netting an $80 million profit when it was all said and done.

2021: A big year for DeFi…and DeFi hacks

The Beanstalk hack, however, is just the latest to affect so-called “decentralized finance” (or DeFi) systems – and not even close to the largest one, at that.

In fact, even as ads for cryptocurrencies and crypto exchanges filled the airwaves during the Super Bowl, massive hacks and attacks on many of those same platforms were raising red flags among regulators, not to mention information security and cryptography pros. Of the 10 largest cryptocurrency hacks of all time, three have occurred in just the last 18 months. And that doesn’t even capture the slew of smaller scale hacks and compromises of cryptocurrency platforms or individual wallets. 

If cryptocurrencies based on the block chain are destined to supplant sovereign currencies, based on the backing of central banks and globally accepted rules of commerce, they will need to prove that they are at least as secure. And yet, as the Beanstalk hack indicates: many DeFi applications and platforms suffer from the same problems as any other web applications, namely: business logic flaws, exploitable software holes, vulnerable protocols and rampant supply chain vulnerabilities. 

The (security) challenges of inventing your own money

In this episode of the podcast, we’re joined by someone who has been thinking long and hard about the security of Decentralized Finance. Jennifer Fernick (@enjenneer) is the Senior Vice President & Global Head of Research at NCC Group and a founding Governing Board and Technical Advisory Committee member of the Open Source Security Foundation

Episode 220: Unpacking The Kaseya Attack And Securing Device Identities on the IoT

In this conversation, Jennifer and I talk about promises and challenges of DeFi systems, and whether attacks like the recent hack of Ronin and Poly Network are simply growing pains in a fast emerging DeFi ecosystem – or fatal flaws that will kneecap efforts to built a viable system of decentralized finance. 

Jennifer Fernick is  the SVP & Global Head of Research at NCC Group and a founding Governing Board and Technical Advisory Committee member of the Open Source Security Foundation.