With the growing interest in cryptocurrency, you can expect to see more opportunities for DeFi or decentralized finance in the future. DeFi’s goal is to create a permissionless, transparent, and decentralized financial ecosystem using blockchain networks.
On April 17, 2022, hackers used the DeFi platform Aave to make massive gains on the Beanstalk Farms stablecoin protocol. The hack was classified as a flash loan attack, with a total loss of $182 million. But what is a flash loan attack? And how can you safeguard your investments? Let’s have a look.
Table of Contents
A flash loan attack is an exploitation of a platform’s smart contract security in which an attacker borrows large sums of money with no collateral. They then manipulate the price of a cryptocurrency asset on one exchange before quickly selling it on another. Flash loan attacks are the most common types of DeFi attacks because they are the cheapest to execute and the easiest to conceal. They’ve been making headlines since DeFi’s popularity surge in 2020, and they appear to be getting worse in 2021, with several hundred million dollars in losses to date.
The process is quick, and the attacker repeats it several times before finishing and disappearing. When the attacker obtains the flash loan, they cause an artificial sell-off, resulting in a significant drop in the price of a cryptocurrency asset.
Before we answer ‘what is a flash loan attack?’ let’s understand ‘what is a flash loan crypto?’ A flash loan is a kind of uncollateralized loan. Unlike traditional loans, flash loans do not require borrowers to provide standard documentation such as proof of income, reserves, or collateral. Flash loans make use of smart contracts, which are digital agreements that are anchored on a blockchain network. Furthermore, when trading cryptocurrency, flash loans encapsulate the entire transaction — from borrowing to repaying — in a single, instant transaction.
There are three steps to a flash loan transaction. The first step is for the user to borrow the funds, the second step is for the user to do something with the funds, and the third step is for the user to repay the loan. If any of the steps are missing, the transaction fails and the blockchain returns to its pre-transaction state. It’s as if nothing was ever borrowed in the first place.
In layman’s terms, a flash loan works as follows: I will lend you as much money as you need for this single transaction. However, by the end of this transaction, you must repay me at least the amount I lent you. If you are unable to do so, your transaction will be automatically rolled back!
These types of loans have grown in popularity across a number of Ethereum-based decentralized finance (DeFi) protocols. In early 2020, the Ethereum lending platform Aave pioneered the concept. However, to date, there is no real-world analogy to Flash Loans.
DeFi flash loan attacks are becoming more common. Over 70 DeFi exploits are currently being used to steal massive amounts totaling around $1.5 billion. Flash loan attacks are relatively simple to carry out. All that is required is a substantial amount of collateral and access to a liquidity pool. Once you have these items, you can easily borrow a large sum of money and use it to acquire a large number of assets. This allows you to profit quickly from the price difference between the two assets.
Another flaw concerns the platform’s pricing information. Because there are so many exchanges around the world, determining a single true price for digital crypto assets is nearly impossible. This pricing disparity is what makes arbitrage trading appealing.
Another reason why flash loan attacks continue to occur is that they are frequently profitable. In the Aave attack, for example, the attacker made a profit of over $7 million. This is a large sum of money, and other attackers are likely to have made similar sums of money from other flash loan attacks.
Peckshield, a blockchain security provider, discovered a flash loan attack against the DeFi lending platform Cream Finance last October. Attackers attempted to steal Cream liquidity provider tokens. With the exception of a $40 million $CREAM pool, most Ethereum-based pools are now empty, according to Cream’s native front end. The protocol’s Ethereum markets had $300 million in assets as of October 23, 2021. As evidenced by the $19 million flash loan hack of the protocol in August 2021, Cream Finance has been routinely targeted by attackers.
A hack on the Alpha Homora protocol resulted in a $37 million loss in February 2021. Using Cream’s Iron Bank protocol-to-protocol lending platform, an attacker successfully drained over $37 million from Alpha Homora. The hackers repeated the process until they had amassed CreamY USD (or cyUSD), at which point they used the tokens to borrow other cryptocurrencies. The hack was quite complex, with numerous steps. Essentially, the attacker heavily manipulated HomoraBank v2’s sUSD pool.
The attacker used the platform to obtain the loan in the early 2020 dYdX flash loan attack, then split the lent income across two distinct lending platforms, Compound and Fulcrum. The first portion of the loan was used to short ETH against WBTC, forcing Fulcrum to acquire WBTC. The order was processed by Uniswap, but due to Uniswap’s low liquidity, the price of WBTC rose significantly, requiring Fulcrum to pay significantly more for it. The remaining dYdX loan was used by the attacker to obtain a WBTC loan on Compound. As the price of WBTC rose, the attacker profited by transferring the borrowed WBTC to Uniswap. The attacker then paid back dYdX while keeping the remaining ETH.
PancakeBunny’s Bunny Protocol was the victim of a flash loan attack on May 19, 2021. The attacker used price differentials to steal 114,631 WBNB worth approximately $45 million. The only pool drained by the hacker was BUNNY/BNB, with the malicious actor also stealing 697,000 BUNNY. PancakeBunny reiterated that none of the vaults had been exploited, but this is little comfort given that a massive amount was stolen through other means. The attacker also attached a private note with a rabbit-themed pun, “ArentFlashloansEaritating,” to the transactions that drained the pool. PancakeSwap was used to return all funds borrowed to carry out the attack.
So you know ‘what is a flash loan crypto’ and ‘what is a flash loan attack’ now, but how to prevent these attacks?
The use of decentralized pricing oracles can aid in reducing price manipulation caused by flash loan attacks. These platforms protect all protocols by providing accurate pricing for various cryptocurrencies.
DeFi attacks, such as the one that occurred with dYdX, will be impossible because the protocols will not receive their price feed from a single DEX. In simple terms, if a bad actor attempts a flash attack on a decentralized oracle-fed DApp, the price manipulation will fail, the transaction time will elapse, and the entire transaction will reverse — unprocessed.
The DeFi ecosystem employs cutting-edge technologies that are reshaping the outlook of international financial systems. Transparency in the lending process can help prevent flash loan scams. We can make it more difficult for hackers to conceal their activities, making it more difficult for them to carry out these attacks. OpenZeppelin is a prime example. Its role in the ecosystem is to protect smart contracts and DeFi platforms as a whole.
Flash loans are typically risk-free for lenders; if no contract is executed to return the loaned amount, the initial loan will never be made. Smart contracts, on the other hand, must cover all transaction details to ensure that everything is risk-free. As a result, there are no vulnerabilities for attackers to exploit.
When it comes to flash loans, the biggest threats currently affecting the DeFi ecosystem are usually data leaks and smart contract bugs that enable these attacks.
One of the most surprising discoveries in the cryptocurrency world was the rapid development of the Defi movement. Flash loans are one of many new terms and concepts that have been introduced in recent years. Flash loan attacks can take many different forms. Because a flash loan must be repaid before the contract is completed, a flash loan attack may find a way to change the value of the cryptos they’re trading. However, with regular security updates, the risks associated with these attacks can be mitigated in the future. Just keep our guide to ‘what is a flash loan attack?’ handy!
A crypto flash loan is a type of uncollateralized loan that is available in DeFi. Through a flash loan, users can borrow a large amount of crypto, such as Ethereum or Bitcoin, without the need for collateral, as long as the loan is repaid within a single transaction block.
Once a successfully receives the flash loan funds, if they fail to repay the loan amount within the specified time frame, the lender may take legal action to recover the funds. Said action may include a lawsuit, a court order to freeze all of the borrower’s assets, or any other solutions.
Just like any other aspect of the crypto world, crypto flash loans also carry risks. Said risks may include:
EVM Virtual Machines and EVM Chains | Solidity Data Types | Slope Wallet Vulnerability | What is a Blockchain Fork | Types of Decentralization in Blockchain | Physical Layer in OSI Model | What is a Crypto Exchange | Biggest NFT Marketplace | What is Nonce in Blockchain | Types of Distributed Ledger Technology | Fiat Money Advantages | What is Whales in Crypto | NFT Risks and Challenges | What is a Cross-Chain Bridge | Mainnet Crypto Price | Types of Sharded Blockchain | List of Wrapped Tokens | Blockchain Vs Quantum Computing | How Do Crypto Faucets Work | What is a Crypto Exchange | Best Dapp Browsers | What is Asset Tokenization | Layer 1 Blockchain | Best Crypto Faucets | Difference Between Cryptocurrency and Blockchain