Beanstalk Farms lost $182 million when attackers used flash loans to acquire governance voting power and drain protocol vaults through a malicious proposal.
An attacker drained $182 million from Beanstalk Farms on April 17, 2022, by flash-loaning over $1 billion across three lending protocols and voting through a malicious governance proposal in a single blockchain transaction before repaying the borrowed funds.
The exploit targeted a fundamental flaw in how Beanstalk weighted governance voting power. The protocol granted voting rights based on Stalk holdings—ERC-20 governance tokens—without preventing attackers from borrowing massive token quantities instantaneously. The hacker flash-loaned $1 billion in DAI from Aave, $32 million in BEAN from Uniswap V2, and nearly $12 million in LUSD from SushiSwap, then converted these assets into Beanstalk liquidity positions that generated Stalk tokens.
With the borrowed Stalk, the attacker acquired the two-thirds voting threshold needed to execute emergency governance proposals. Beanstalk's emergency governance pathway allowed voting and execution within the same transaction—a fatal design choice that assumed governance participants would hold genuine economic exposure to the protocol. The attacker submitted two proposals: BIP18 authorizing the transfer of $182 million to an attacker-controlled address, and BIP19 directing $250,000 to Ukraine's official cryptocurrency donation address.
The transaction executed in seconds. The attacker deposited the flash-loaned assets into Beanstalk's Diamond contract, voted for BIP18, triggered the emergency execution, and extracted roughly $80 million in cryptocurrency before repaying all flash loans and exiting the protocol. The remaining $102 million in stolen assets were burned by the protocol during remediation. The attacker then moved 24,930 ETH (worth roughly $76 million at the time) through Tornado Cash in 270 equal-sized transactions.
The Beanstalk team posted a statement within hours of the discovery: "As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well." The team immediately paused governance and froze remaining BEAN tokens in the exploit contract. On April 19, Beanstalk announced a $1.8 million bounty if the attacker returned 90 percent of stolen funds—a symbolic gesture toward a hacker who had already moved millions through mixing services.
Core team member Publius later took a controversial stance on accountability, stating: "When you ask us to take responsibility, it's really inappropriate," arguing that as an open-source project, the team bore no legal obligation for the attack. The comment triggered backlash from affected users who demanded the developers acknowledge governance failures rather than deflect responsibility.
The attack exposed a governance vulnerability that most protocols had overlooked. Without transaction ordering controls or voting weight snapshots taken before proposal submission, any protocol weighted votes by token balance alone. Flash loan governance attacks became a recognized vulnerability class within days as security researchers published mitigation frameworks recommending vote delegation separation, block delays between proposal and execution, and voting power calculated at historical block heights rather than current state.
Beanstalk resumed operations in June 2022 with substantially rebuilt governance architecture, but user confidence had eroded irreversibly. Total value locked plummeted from $1 billion pre-attack to under $100 million by year-end as users migrated to competing stablecoin protocols. While the protocol survived as a technical project, the $182 million theft transformed Beanstalk from a promising algorithmic stablecoin into a cautionary example of DeFi governance fragility.
---
