Last month, a cryptocurrency named Beanstalk was scammed out of over $180 million (about Rs 1,400 crore). The attack used unusual tactics, in which the attacker used borrowed funds to accumulate the voting rights needed to transfer all the money to his own account. The heist was reported in the New Indian Express on April 18.
Beanstalk (https://bean.money) describes itself as a “decentralized” asset that is also a “stable-coin”. Unlike other cryptocurrencies such as Bitcoin, which can vary wildly in value, stablecoins are pegged to a country’s fiat currency. In most cases, this is the US dollar, and the attempt is to keep the value of the stablecoin at 1 stablecoin = $1. While Beanstalk itself is the network in which digital currency transfers occur, the blockchain system provides users with cryptographic units called “beans”, which are the platform’s official tokens. Those who make deposits on its network are called “bean farmers”, tending to the “fields” and their accounts or wallets are called “silos”. Beanstalk effectively functioned as a bank, allowing savers called bean farmers to deposit beans in a field and use their savings to ensure that the value of a single bean remained as close to $1 as possible.
For a stablecoin to work properly, it needs sufficient reserves to secure its coin. Basically, there are three ways to guarantee a stable coin. The first is to collateralize by fiat – this means that the coins are backed by real assets in reserve; for each stablecoin, there should be the real currency equivalent in assets. The second is to collateralize with cryptocurrency, although here price volatility is still an issue. Thus, stablecoin providers try to solve this problem by “over-collateralization”, for example, $1 of stablecoin is linked to $2 of crypto, to cover the volatility of the underlying crypto. The goal is to create the benefits of decentralization for stablecoins while crypto-reserves absorb the impact of market volatility.
The third way, which is technically the most difficult, is to collateralize in a decentralized way. Here, stablecoins are not tied to any type of reserve, but instead use smart contracts to monitor price fluctuations and programs to issue and buy coins accordingly. By way of explanation, a smart contract is a decentralized computer application or program that executes business logic in response to external events. The execution of smart contracts can result in the exchange of money, the provision of services, or other types of transactions such as changing the name on the ownership documents of a house.
A few months ago, I wrote an invite for The Financial Express about decentralized finance (or DeFi as it’s commonly known in the tech industry), which allows apps to create financial instruments using cryptocurrencies. underlying currencies such as Bitcoin and Ethereum. The Bean Bank is itself a product of DeFi. The problem is that the DeFi space is largely unregulated, and in legal and financial terms, it’s effectively the Wild West.
Apparently, some of Beanstalk’s bean producers were encouraged to deposit cryptocurrencies such as Ether in a “silo” to build up the stablecoin’s reserves in exchange for voting rights over the operation of the organization via a DAO or “Decentralized Autonomous Organization”. The purpose of DAOs is to act as a business in the crypto world, a business controlled directly by its shareholders without governance structures such as a board of directors and/or senior management.
Last month, a DAO vote resulted in the bank’s entire silo being transferred, all at once. The attacker had borrowed $80 million in cryptocurrency and deposited it in the DAO project silo, gaining enough voting rights in the DAO to be able to instantly pass any proposal to the “Bean Bank”. With this power, the attacker voted to transfer the contents of the treasury to himself, then returned the voting rights in the process of withdrawing the money, and then repaid the loan. All this in seconds.
The attacker took advantage of a “flash loan” to take control. Flash loans are only possible in the crypto space – these are loans that are repaid instantly. Their advantage is for people who have spotted arbitrage opportunities in digital assets. If you spot an opportunity to sell a digital asset at, say, $11 and buy it for $10, then you can borrow $100 million, execute the trade to earn $110 million, return the $100 million original dollars and keep the profit of 10 million dollars, all in one operation. The lender takes no risk – as the loan literally cannot go unpaid – and charges a small fee for the service. While flash loans were obviously designed to trade on arbitrage opportunities, they became an unwitting accomplice in a digital bank scam.
In the real world, and in order, this would mean taking out a loan to buy out 51% of the voting shares of the bank (legal), using the voting rights to transfer money to you (illegal – a member board with majority rights simply can’t vote to transfer all of a company’s assets to it), sell your shares to the bank (legal), and pay off your loan (legal). To add to the illegality, no bank can vote to transfer all of its assets – that would be in violation of all sorts of banking laws. And of course, the real-world equivalent of a DAO would also be illegal.
The problem? Well, the attacker used legal means to carry out the attack. Buying voting rights in the DAO was legal, and flash lending was also legal.
It seems to me that we will constantly be catching up now that the crypto-genius is out of the bottle.
The author is a technology consultant and venture capitalist; By invitation
#Techproof #Express #legally #defrauding #cryptocurrency