The crypto world is on edge after a series of hacks
Not long after dropping out of college to pursue a career in cryptocurrency, Ben Weintraub woke up to bad news.
Mr. Weintraub and two University of Chicago classmates had been working for the past few months on a software platform called Beanstalk, which offered a stablecoin, a type of cryptocurrency with a fixed value of $1. To their surprise, Beanstalk became an overnight sensation, attracting crypto speculators who saw it as an exciting contribution to the experimental field of decentralized finance, or DeFi.
Then it collapsed. In April, a hacker exploited a flaw in Beanstalk’s design to steal more than $180 million from users, one of a series of thefts this year targeting DeFi ventures. The morning of the hack, Mr. Weintraub, 24, was home for Easter in Montclair, NJ. He went into his parents’ bedroom.
“Wake up,” he said. “Beanstalk is dead.”
Hackers have terrorized the crypto industry for years, stealing Bitcoin from electronic wallets and raiding the exchanges where investors buy and sell digital currencies. But the rapid proliferation of DeFi start-ups like Beanstalk has given rise to a new kind of threat.
These loosely regulated ventures allow people to borrow, lend and conduct other transactions without banks or brokers, relying instead on a system governed by code. Using DeFi software, investors can take out loans without revealing their identity or even undergoing a credit check. When the market rallied last year, the emerging sector was hailed as the future of finance, a democratic alternative to Wall Street that would give amateur traders access to more capital. Crypto users entrusted approximately $100 billion in virtual currency to hundreds of DeFi projects.
But some of the software was built on the wrong code. This year, $2.2 billion in cryptocurrency has been stolen from DeFi projects, according to crypto tracking firm Chainalysis, putting the overall industry on pace for its worst year of hacking losses.
Many of the thefts have stemmed from flaws in the computer programs – known as “smart contracts” – that run DeFi. The programs are often built quickly. And because smart contracts use open source code, which provides a publicly visible map of the software, hackers have been able to orchestrate attacks on the digital infrastructure itself, rather than simply infiltrating someone’s account. It’s the difference between robbing a person and emptying an entire bank vault.
“DeFi has introduced a whole other level for hackers to gain access to a platform,” said Erin Plante, Vice President of Investigations at Chainalysis. “It puts a lot of pressure on the space and limits the innovation that’s possible.”
The breaches have shaken faith in DeFi during a bleak period for the crypto industry. An epic crash this spring wiped out nearly $1 trillion and forced several high-profile companies into bankruptcy. In August, thieves exploited a coding problem to siphon off $190 million from a company called Nomad. Last week, crypto firm Wintermute said its DeFi division had been hacked, leading to a loss of $160 million.
Tracking the movement of stolen crypto is quite easy. Transactions are recorded on public ledgers called blockchains, which anyone can analyze to find patterns. But it is significantly more difficult to regain access to lost funds.
The hacks have prompted many DeFi startups to explore preventative measures, recruiting auditors to examine their code for vulnerabilities. Although other types of crypto firms cut costs during the downturn, security and auditing firms have seen a huge increase in business.
“This year was a good year for attackers,” said Goncalo Sa, founder of ConsenSys Diligence, which conducts code audits. “It’s definitely stuck in people’s minds that security is something they should take seriously.”
From the beginning of crypto, companies have struggled with security. In 2014, the first major Bitcoin exchange, Mt. Gox, breached in a damaging attack that ultimately led to the company’s bankruptcy and the loss of billions of dollars in digital currency.
At the time, the industry was relatively small and uncomplicated. Now hackers can attack a wider ecosystem, including an experimental economy of crypto-based video games, decentralized lending projects and newfangled coins. Last year, a hacker stole $600 million from DeFi platform Poly Network; the thief returned the money after negotiations with the project’s managers.
This year’s hacks have caused far more damage. In March, a group sponsored by the North Korean government stole $620 million in digital currency from the Ronin Network, a DeFi platform that powers the Axie Infinity video game. Around the same time, a hacker exploited a software flaw in a DeFi project called Wormhole to make off with $320 million.
“A lot of people are setting up platforms with a known vulnerability,” said Chris Tarbell, a former FBI agent who now runs the cybersecurity firm NAXO. “In a target-rich environment, criminals are going to be opportunistic.”
The wormhole hack exploited vulnerabilities in a new element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people take advantage of trading opportunities; a trader who owns a lot of Ether, for example, might want to use an application on another currency’s blockchain without having to sell Ether and buy the other currency.
The sheer volume of crypto flowing over these cross-chain bridges makes them valuable targets. A total of 10 hacks this year have involved bridges, leading to losses of $1.3 billion, according to Chainalysis.
The technology is “very complicated, and complexity is the enemy of security,” said Steve Walbroehl, founder of crypto-security firm Halborn.
Beanstalk was not built as a cross chain bridge. But it had other vulnerabilities baked into the code.
The inner workings of the project were almost comically unclear. A white paper outlining its mechanics consists of 61 pages of graphs, charts and mathematical equations (as well as a quote from Alexander Hamilton’s letter).
“The number of pods that grow from 1 bean sown is determined by the temperature – the beanstalk native interest—at the time of sowing,” reads a passage from a guide to the platform called the Farmers’ Almanac.
Essentially, Beanstalk allowed people to deposit tens of millions of dollars in virtual currency into a software system, which generated interest and helped maintain the value of a stablecoin called a bean.
The project did not work like a traditional start-up. Like many crypto-founders, Mr. Weintraub and his collaborators – Brendan Sanderson, 25, and Michael Montoya, 24 – kept their identities secret, calling themselves Publius, an homage to the authors of the Federalist Papers. When the software was released in August 2021, users who deposited their crypto were given votes in an investor collective called a decentralized autonomous organization, or DAO, which had to agree to make changes to the software.
Beanstalk’s collective governance was ultimately its undoing. In April, a hacker borrowed $1 billion in cryptocurrency from another DeFi project, Aave. The transaction was a so-called flash loan – a lightning-fast process in which a crypto user borrows funds without providing collateral, makes a trade and then immediately repays the loan, keeping profits generated from the series of near-simultaneous exchanges.
The code that Mr. Weintraub and his partners had designed did not have a mechanism to stop someone from using a flash loan to take over the platform. So the hacker used $1 billion to claim a huge stake in the Beanstalk DAO, taking total control of the software’s governance. The hacker then transferred everyone’s funds—almost $200 million in total—out of the Beanstalk system.
Panic ensued. “I lost $1 million today,” declared one Beanstalk user on YouTube. “It happened through prayers.”
Some users suspected that Mr. Weintraub and the other founders were behind the attack – a classic “rug pull” in which a team of developers abscond with investors’ funds.
“The pitchforks were out,” Mr. Weintraub said. – It felt like death.
In the end, he and the other founders decided to continue the project. They reported the theft to the FBI and held talks with Beanstalk enthusiasts to find a way forward. In an April post on the chat forum Discord, they also revealed their identities for the first time. It was a risky move: Even if the project wasn’t a traditional business, they could be vulnerable to lawsuits from users or regulatory scrutiny.
Over the past few months, the Beanstalk DAO has been working to restart the project, recruiting blockchain analytics firms to help track down the lost crypto. The group also hired Halborn, the security firm, which reviews the code to eliminate any vulnerabilities. The Beanstalk officially reopened last month.
Such comeback efforts are increasingly common in crypto. “We’ve always been so transparent with the community that this is an experiment,” Mr. Weintraub said. “We’ll all figure this out together.”
The stolen funds are still missing.
Kitty Bennett contributed research.