In essence, Beanstalk allowed people to deposit tens of millions of dollars in virtual currency into a software system, which generated interest and helped maintain the value of a stablecoin called a bean.
The project didn’t operate as a traditional start-up. Like many crypto founders, Mr. Weintraub and his collaborators — Brendan Sanderson, 25, and Michael Montoya, 24 — kept their identities secret, calling themselves Publius, an homage to the authors of the Federalist Papers. When the software was released in August 2021, users who deposited their crypto got votes in an investor collective called a decentralized autonomous organization, or DAO, which had to agree to make changes to the software.
Beanstalk’s collective governance was ultimately its undoing. In April, a hacker borrowed $1 billion of cryptocurrency from another DeFi project, Aave. The transaction was a so-called flash loan — a lightning-fast process in which a crypto user borrows funds without posting any collateral, makes a trade and then immediately pays back the loan, keeping any profits generated from the series of near-simultaneous exchanges.
The code that Mr. Weintraub and his partners had designed did not have a mechanism to stop someone from using a flash loan to take over the platform. So the hacker used the $1 billion to claim a huge stake in the Beanstalk DAO, taking total control of the software’s governance. Then the hacker transferred everyone’s funds — a total of nearly $200 million — out of the Beanstalk system.
Panic ensued. “I lost $1 million today,” one Beanstalk user declared on YouTube. “It happened through beans.”
Some users suspected that Mr. Weintraub and the other founders were behind the attack — a classic “rug pull” in which a team of developers flees with investors’ funds.
“The pitchforks were out,” Mr. Weintraub said. “It felt like death.”
Ultimately, he and the other founders decided to continue the project. They reported the theft to the F.B.I. and held calls with Beanstalk enthusiasts to find a path forward. In an April post on the chat forum Discord, they also revealed their identities for the first time. It was a risky move: Even though the project wasn’t a traditional business, they could be vulnerable to lawsuits from users or regulatory scrutiny.
