On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.
The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.
In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.
The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time. In the case of the recent hack, the attacker borrowed close to $1 billion in cryptocurrency assets through a service called Aave, exchanged them for a 67 percent share in the Beanstalk project, voted through their own proposal to withdraw the entire treasury, and returned the borrowed funds — all in less than 13 seconds.
Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.
On February 12th, in a…