On April 17, Beanstalk, a decentralized credit-based stablecoin protocol, experienced a devastating attack that resulted in the theft of ~$76M in user assets.
The attack was executed using an exploit in the governance mechanism of the protocol, which allowed the perpetrator to open a flash loan and use it to transfer user assets from the protocol’s reserve pool into their wallet. The perpetrator could then withdraw the funds without having to repay the loan, resulting in an irreversible loss of user funds.
The graph below shows the transfers of stolen funds from the heist orchestrated by a hacker. In the upper right corner, one can see that 101 ETH was sent to an address from Tornado, likely in exchange for a fee for gas usage. This same address then proceeded to transfer the funds to an Arbitrum network using Synapse bridge technology before transferring the funds to the hacker’s own address on the same Arbitrum network (0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4). The hacker then used bridge technology via Synapse to move the funds back to an ETH network, likely to implement a contract.
The left side of the graph highlights the contract and addresses used by the hacker for their transactions. For example, a hacker sent $250k USDC to an official address of the Ministry of Digital Transformation of Ukraine as a donation.

The remaining tokens were then converted from ETH back to native ETH and transferred to the hacker’s own address. Finally, 24,849.1 ETH was transferred to Tornado.