Credit-based Defi protocol Beanstalk Farms was exploited for $184 million with the hacker using its vote governance system. The attacker initiated a “flash loan” obtained through the decentralized protocol Aave, to earn enough voting rights to loot the money in a matter of seconds. 

Beanstalk Farms is a DeFi project that facilitates the supply and demand of different digital currencies. Publius, the Beanstalk developer, created a governing system in which participants can vote on code. Their voting rights are based on the number of their tokens held.

The attack was made possible via “flash loan,” a DeFi product that lends money to users for a short amount of time. After receiving the loan, the attacker swaps the sum for enough Beans to acquire a majority stake. He received a code to transfer the loot to his wallet.

Beanstalk has offered the hacker a 10% whitehat bounty provided he will return 90% of the funds to Beanstalk Farms’ multi-signature wallet.

Last Monday, on a podcast, the company founders, including Brendan Sanderson, Michael Montoya, and Benjamin Weintraub, admitted that the flaw was in its designed product. They discussed how Beanstalk Farms would move forward if the hacker did not return the stolen funds.

The path will include moving forward and rebooting, and some sort of fundraising. Beanstalk Farms may have suffered a severe vulnerability, but its community remains optimistic about its survivability.