Governor DAO Post Mortem BEAN Governance Exploit
Governor DAO
$BEAN
Governance Exploit Post-Mortem
4/17/2022
By Jon Greenwood (jgr33nwood.eth)
Abstract
Bean.Finance is a novel stable token operating on the ETH mainnet that acts as a debt consolidation point - pegging debt to future gains via their field and silo mechanisms in a previously unseen way. BEAN has stayed under the radar until more recently, where the market cap exploded from $40m to $180m in two weeks.
On or around block 14595309 on Apr-16-2022 08:38:56 AM (+UTC) a malicious actor exchanged $220,000 USD in ETH into BEAN in what starts a long trail of events to a full governance overthrow attack (TX Here).
  • Following this transaction, the actor moved those BEANS into the Silo in this transaction.
  • BIP 18 and later, BIP 19 were created and posted to the on-chain governance proposal section of the BEAN platform. These proposals voted for 250,000 BEANS to Ukraine via their official ETH wallet. Also, they asked for a 10,000 BEAN payment directly to the proposer.
  • The attacker executes the attack:
a) They took out a flash loan from Aave
b) They accumulated as many whitelisted Silo assets as possible by buying Beans and adding LP positions (Bean:LUSD Curve LP, Bean:3Crv Curve LP).
c) They deposited all of the assets into the Silo and accumulated a Stalk position of > 67% of all outstanding Stalk. (Stalk is the governance token of the BEAN ecosystem)
d) The attacker emergency committed BIP-18 which transfers all assets in the Beanstalk contract to their wallet. Here
A Note on BEAN BIPs
Proposing a BIP requires the proposer to own 0.1% of Beanstalk. A BIP can be emergency committed if: - It has been > 24 hours from the time of proposition - Has > 67% of the vote in favor of the BIP. Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk. It is important to note that up until the execution of transaction (4), nothing appeared to be wrong. The attacker was able to propose a BIP as designed by the protocol.
Working Modality
To be fully transparent: Governor DAO has previously engaged with BEAN as a possible SME for future services rendered. No funds have been exchanged. Also, Governor DAO members were heavily exposed to BEAN including the development team.
The attack vector seen in this event is a novel day-0 combined with a known vulnerability of on-chain voting systems. At Governor DAO we take a stance on governance that includes a mindset where on-chain voting apparatuses are not always secure due to their ability to have direct correlational moves to treasury funds, contract executions, and systematic changes to modalities previously not audited.
When looking at this exploit through rose-colored lenses, the animus falls on whoever “should have” seen this coming - in our eyes - this is shortsighted. There is no current consensus on how governance operations from an on-chain perspective should be moderated; if at all. After all this is the decentralized world of DeFi and the question always remains: IF (importance on this word) a governance system is set up flawlessly, should user interaction and quorum alone be the sole arbiter of sending funds, liquidating treasuries, and moving pools? The importance here is the IF. Throughout my tenure in the governance space circa THE DAO - many experts have hypothesized critical theories on governance and whether or not complete decentralization of high-cap or even smaller ecosystems is plausible.
Not a single B2B call goes by where the Governor team does not reference proposal attacks such as the one seen in the BEAN exploit this morning. We see proposal attacks and Sybil Resistance attacks as our bread and butter to defend against with our Sybil Resistance technology as well as GaaS (Governance as a Service) models. In the case of the BEAN exploit, without proper Sybil Resistant governance in place, or without another form of governance moderation that is removed from the automatically-executed transactional outcome: this exploit is a realistic outcome regardless of the amount of audits performed, contracts secured properly, or “eyes-on” the proposals simply because of this automatic nature.
In short, there was no logical prevention of this attack with an on-chain governance system in play. There are many other logical attacks that could theoretically have the same outcome, whereas off-chain voting would allow for a final trigger to be placed on either another quorum being met, a multi-signature, or owner wallet.
At the end of the day: not using democratic voting systems in combination with Sybil Resistant technologies creates a haven for voting quorum to be gamed. If all voters only held a maximum weight of 1+[99-x] (where the output is always lower than 2) there is no possible way for a single entity to kick off an event regardless of vector. Proof of Existence and GaaS would have solved this situation and prevented it in real time, not allowing the flash attack to have taken place and in fact would have alerted the team to malicious activity in real time thanks to reporting modules that can be set up giving the ability to hard-pause if needed.
The special part about this exploit was the obfuscation and “hidden payload” within the BIP which has not been previously seen in the wild; at least not in this way. The exploiter used a flash loan to borrow the voting power needed to push the proposal into emergency action via a bean purchase and deposit, and then ALSO triggered a withdrawal of funds in an exit call hidden within the BIP. Since a flash loan completes in a single block, the theoretical BEAN was non-existent, but it allowed the attacker to exit with “his share” of the protocol which was heavily inflated. Using this method the attacker tricked the protocol into relieving the ENTIRE liquidity provisions of the stable since he was theoretically entitled to those funds after depositing into all three pools on the BEAN platform and then exiting which pulled out all the liquidity in those pools. (LUSD,3CRV,BEAN/ETH LP) Once the transaction was over and the funds were removed that were previously deposited, less than 0.25% of the initial liquidity remained.
To recap: Funds were entered to buy voting power, and then in a quick succession, were used to vote to pass the proposal, which then triggered the overrun of BEAN ownership, which then allowed the exploiter to liquidate “his portion” which was not actually fully his, and was only inflated to look as such. This was a new modular-attack that required knowledge of the inner workings of the contract environment, as well as the inner-workings of the governance system. Most likely the exploiter is not a novice.
The only other small mitigation factor here that COULD have been used would be a better setup of Diamond Facades (EIP-2535) in a way that does not proxy into one another allowing access to an individual's protocol-held LP from a proposal creator. Since this is out of the scope of myself and Governor DAO’s base - I will refrain from commenting on this and leave it up to SOL professionals.
Anti-Mortem
An immediate recommendation to the BEAN team was made this morning by myself via Discord call at 8:15 AM CST - “Disable BIP immediately and move to Snap/Scattershot for off-chain governance and adhere to it.” This recommendation goes miles for both the recovery of the BEAN protocol, which Governor DAO is more than happy to assist with as possible - as well as the future of the protocol as it grows to surpass the previous 200M market cap.
Moving forward, the BEAN team has shown that they are going to listen to the advice of myself and other individuals to implement better governance systems as well as decouple governance systems from holdings in an off-chain manner.
I personally recommend on-chain reporting firms look into tracing the unique distribution of tornado funds to possibly freeze them at an endpoint - although this is unlikely due to the endpoint not being controllable or the endpoint being a non-cooperating entity.
People have mentioned that the proposals themselves were questioned by community members, but clearly nobody guessed that someone would flash-attack in order to send $250,000 to Ukraine. In reality the hidden exploit behind the contract call was bundled in a way that was obfuscated from normal interactions and appeared to be harmless. Another proposal to die, or be voted into existence at the whim of the community. Perhaps more eyes on these proposals are due in the future, regardless of their aim or scope - as a once over would have shown that the exploiter address and the payee address did not match on the BIP as one would think.
Governor DAO calls upon projects to take a SERIOUS look at their governance systems and how they can be better implemented, what works on paper does NOT always work out in the wild. Feel free to reach out to us for any help needed along the way - that is what we are here for. As far as BEAN is concerned, although current funds are drained, the team feels like there is a healthy chance that the project will rise from the ashes similar to Governor DAO itself.
Be safe out there,
Jon Greenwood
Managing Partner
Governor DAO
Copy link