Beanstalk is a decentralized credit based stablecoin protocol. The protocol was exploited through a flash loan to take advantage of a poor governance design in the contract to pass a proposal using the number of tokens held in the account allowing liquidity to be removed into a private Ethereum wallet. According to the port-mortem, the exploited code was not audited by the auditor. Stolen funds were converted inbto ETH and deposited into Tornado.Cash. It is very unlikely that the event was an inside job because the developers self-doxxed themselves (https://cryptonews.com/news/beanstalk-hacker-drains-usd-182m-from-project-but-nets-only-usd-80m.htm) as well as reported the incident to the FBI's IC3.

Beosin provided the breakdown of the event:

1. The hacker initiated a proposal one day before the attack, and the proposal will withdraw funds from Beanstalk: Beanstalk Protocol contract once passed. https://medium.com/@Beosin_com/beosins-analysis-of-the-beanstalk-exploit-6c2f4900af87

2. The hacker exchanged 350,000,000 DAI, 500,000,000 USDC, 150,000,000 USDT, 32,100,950 BEAN and 11,643,065 LUSD as a reserve of funds through flashloan.

3. Added DAI, USDC, USDT funds from step-2 in Curve.fi DAI/USDC/USDT trading pool as 979,691,328 3Crv liquidity tokens, swapping 15,000,000 3Crv for 15,251,318 LUSD.

4. Converted 964,691,328 3Crv tokens into 795,425,740 BEAN3CRV-f for voting and added liquidity to 32,100,950 BEAN and 26,894,383 LUSD to get 58,924,887 BEANLUSD-f liquidity tokens.

5. The hacker used BEAN3CRV-f and BEANLUSD-f from step 4 to vote on the proposal, resulting in the proposal passing. Thus the Beanstalk: Beanstalk Protocol contract transferred 36,084,584 BEANs, 0.54 UNI-V2s, 874,663,982 BEAN3CRV-fs, and 60,562,844 BEANLUSD-fs to the contract deployed by the hacker.

6. Finally the hacker removed liquidity and returned the flashloan, converting the profited tokens into 24,830 ETH and transferred to the hacker’s address.