BSP-11: Contract Intelligence on Chain to investigate the Governance Exploit of April 2022

Proposer

ipoandchill and sync.

Summary

Fund an in-depth investigation of the April 2022 governance exploit by Intelligence on Chain on behalf of the Beanstalk DAO.

Intelligence on Chain is a UK-based blockchain investigations firm: https://intelligenceonchain.com/

This initiative proposes to reallocate the equivalent of 42,000 USDC in BEAN from BSP-9. The proposal includes:

1. An estimated two to three month investigation, culminating in a final report and a separate summary to be shared publicly.
2. Automated monitoring for six months thereafter.
3. An effort to recover funds, if possible.

Purpose

Many members of the Beanstalk community have expressed support for an independent investigation of the April 2022 governance exploit to better connect the dots, per the recently successful investigation and recovery effort by Euler Finance for its nearly $200M exploit in March 2023: https://twitter.com/eulerfinance/status/1643269155116945409?s=20

On 3/30/23, Intelligence on Chain presented to the Beanstalk DAO about what an investigation of the April 2022 governance exploit would entail: https://www.youtube.com/watch?v=5-VfvgVDtVU&t=458s

During the nearly one-hour long presentation and discussion, it was revealed by Publius and later clarified by Beanstalk Farms that shortly after Beanstalk's exploit, Lossless had flagged a wallet that was potentially linked to the hack on 4/25/22 and which had a deposit traced back to Kraken.

Considering this newly revealed information, the value proposition of an investigation was summarized by Intelligence on Chain's founder as follows:

"What I'm proposing is a way to look at and understand where these funds currently are through pattern recognition. If that leads to other centralized exchanges, then so be it. Does that lead to the original one? Maybe. Maybe not. There's a lot of unanswered questions here, and all I'm looking to do is maximize the information that you guys have to help you recover some of these funds."

Deliverables

For the estimated two to three month investigation, Intelligence on Chain will:

• Run the scripts on the 100 ETH contract to pull data on 22,000+ transactions from Tornado Cash (TC) since the exploit.
• Analyze each wallet and subsequent transactions.
• Learn if wallets are/are not connected.
• Map out each suspect wallet back to protocols or exchanges.
• Build a log of suspect/non-suspect wallets.
• Understand the incoming transactions to the exploiter's wallet.
• Build out the automation required to monitor every suspect wallet and TC.

This work will culminate in a final report by Intelligence on Chain that documents all of its findings, which will be shared with its contacts at the authorities.

Separately, a summary of the report will be shared publicly, enabling anyone in the Beanstalk DAO to use it to file complaints with authorities in their respective locality.

Note that any potentially sensitive information that may undermine a resolution of this matter if it were to be disclosed will not be included in the publicly shared summary. The final report will be reviewed with the BFC and the proposers of this BSP to confirm it was completed before the summary is shared publicly.

Automated tracking thereafter for six months will include monitoring alerts for every suspect wallet and TC.

Intelligence on Chain will also engage in an effort to recover the funds if possible, though there are no guarantees of results. The extent of this effort will largely depend on the findings of the investigation.

Scope

The scope of this proposal is limited to conducting an authoritative investigation of Beanstalk's April 2022 governance exploit and the extensive amount of on-chain data since then on behalf of the Beanstalk DAO, with automated monitoring for a period of six months afterwards.

Intelligence on Chain ultimately aims to identify patterns in the on-chain data and maximize available information to potentially aid in the recovery of funds. As the results of such an investigation are unknowable beforehand, defining how the results will be acted upon ahead of then is impractical. Nevertheless, Intelligence on Chain will share its complete and final report that includes any potentially sensitive information with their contacts at the authorities. Separately, a summary of the report from Intelligence on Chain will be made publicly available, thus empowering any Beanstalk community member to then report to the authorities in their respective jurisdiction.

During Beanstalk's DAO call on 4/21/23, the legal counsel representing Publius conveyed that the authorities were last provided information in regards to the exploit in July 2022. The counsel expressed that he would be happy to share any new information with the authorities, as well. Thus, the authorities may benefit from the additional information gathered from an investigation.

Intelligence on Chain will also attempt a pursuit in hopes of recovering the funds if possible, though there are no guarantees of results.

Note that while there is no guarantee of a recovery of funds as a result of this proposal, an in-depth investigation may nevertheless help to more definitively connect the dots, such that the authorities are better equipped to possibly act on the documented evidence and/or to potentially motivate the exploiter to return the funds voluntarily for the bounty previously approved by the Beanstalk DAO in BOP-2.

The importance of connecting the dots on possible links to better build a case was emphasized by Taylor Monahan from Metamask in a recent Twitter exchange regarding Beanstalk's exploit and the potential Kraken lead: https://twitter.com/tayvano_/status/1644071714673029120

Taylor was among the contributors that Euler Finance acknowledged publicly as having supported their investigation and recovery effort, and her feedback echoes the above-mentioned value proposition of an investigation as explained by Intelligence on Chain's founder.

Effective

Upon the passage of this BSP, the Bean Sprout multisig will convert the equivalent amount of BEAN to 42,000 USDC, and 25,000 USDC will then be sent to Intelligence on Chain to begin its estimated two to three month investigation.

The remaining 17,000 USDC will be sent to Investigation on Chain upon completion of the investigation and the public sharing of the summary of their final report, after which they will proceed with their six months of monitoring related work and their attempt at a recovery of funds if possible.

Note that this engagement with Intelligence on Chain will span an estimated period of eight to nine months in total. This equates to a monthly cost of about 5,000 USD.

As a comparison, consider that Beanstalk Farms previously informed the community it was quoted 300,000 USD for a twelve-month retainer by Chainalysis in the past, and there were no guarantees of results in that proposed engagement either. This would have equated to a monthly cost of 25,000 USD.