What Is a Flash Loan Attack?
A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows a lot of funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one. The process is swift, and the attacker repeats the process multiple times before finishing and leaving without a trace.
What Is a Flash Loan?
The development of the DeFi lending space has made crypto lending very popular. Because they leverage the full power of currently available technologies, flash loans have become a very appealing form of lending.
The term flash loan describes when a borrower takes a loan without needing collateral. You might wonder: How is this possible? Using a platform’s smart contract, the whole lending and returning process occurs within a single transaction on the blockchain.
That means that the borrower has to act quickly and return the loan within a short time. If the lender defaults in any way, the whole transaction is annulled as if nothing had happened at all.
The principle is simple and very practical. Unlike traditional, secured loans, you don’t need any collateral, credit score or administration to process an unsecured loan. You can get your hands on large amounts of stablecoin in a matter of seconds — and use it to your benefit just as quickly.
That’s what some traders on various DeFi platforms are doing. For example, Aave users can get such loans, use the funds on an arbitrage opportunity, give back the loan, and keep the profits. The borrowing and lending process is automated, and when everything works out, both the lender and borrower benefit from the loan. If anything goes wrong, the transaction is canceled, and there’s no profit for either one of the parties.
Are Flash Loan Attacks Common?
Given how the technology is still evolving, DeFi flash loan attacks are currently common. You should know it as well as know what DeFi is. Currently, over 70 DeFi exploits been used to steal massive amounts, to the tune of around $1.5 billion. The trend will likely continue in the years to come, because making a platform’s security impenetrable is a challenging task.
Why are Flash Loan Attacks possible?
- The first challenge comes down to the developer’s inability to cover all of the possible weaknesses, since blockchain technology is fairly new.
- Another problem is that systems are developed quickly, and a lot of money is in each of these projects. The stakes are high, and many developers try different methods to find the bugs in the system. Some flash loan attackers leverage incorrect calculations of liquidity pools. Still others are miner attacks, or coding mistakes.
- The challenge with smart contracts is that they have complete control over DeFi protocols. Once the attackers understand how these operate in minute detail, they can manipulate a contract’s shortcomings and use them to their advantage. That means that DeFi’s security is a delicate balance: the skill of the protocol’s contract creator on one side, and the hacker on the other.
Luckily, there are systems already in place to prevent such abuse of uncollateralized loans. We’ll touch upon that right after we explore a couple of examples of flash loan attacks.
Flash Loan Attack Examples
So far, there have been dozens of occurrences of flash loan attacks. Here’s just some of the biggest ones.
C.R.E.A.M. Finance has been under attack multiple times in 2021. One of the biggest heists involved $130 million. The culprits stole CREAM liquidity tokens, amounting to millions of dollars over an undisclosed amount of time. All the losses are visible on-chain, and the culprits have yet to be caught.
Luckily, the loophole was only a part of Cream’s DeFi system, as the platform of their merging partner, Yearn Finance, remained safe. As with the majority of DeFi protocol hacks, the attackers used multiple flash loans and manipulated the pricing of the oracle.
With the help of Yearn’s team, the platform quickly patched the vulnerability.
In February 2021, a hack on the Alpha Homora protocol resulted in a loss of $37 million. The flash loan attacker also used C.R.E.A.M. Finance’s Iron Bank through a series of flash loans. The Iron Bank is the lending arm of the Alpha Homora protocol.
The hackers repeated the process multiple times until they amassed CreamY USD (or cyUSD), then used the tokens to borrow other cryptocurrencies. The hack was quite complex and involved numerous steps. Essentially, the attacker heavily manipulated the sUSD pool of HomoraBank v2.
They performed a series of transactions and flash loans, allowing them to abuse the lending protocol between HomoraBank v2 and the Iron Bank. You can explore the Alpha Homora attack post mortem in greater detail to see what hackers did.
Additionally, they exploited the rounding miscalculation of the borrowing calculations in situations when there’s a single borrower.
There are cases when gaming the protocols requires the right timing and manipulation of prices. That was the case with a dYdX exploit early in 2020. The attacker used the platform to get the flash loan, then split up the funds and used them on two trading platforms — Fulcrum and Compound.
The first part was used on Fulcrum in exchange from ETH to WBTC. In the process, the Kyber Network got the order in through Uniswap’s DEX. The catch was that Uniswap’s low liquidity pool drove WBTC’s price incredibly high.
Simultaneously, the attacker used the second part of the loan on the Compound platform to get a WBTC flash loan. As the price skyrocketed on Uniswap, the attacker quickly made the exchange — and a significant illegal profit.
How to be protected from flash loan attacks?
While there is no foolproof way to protect against flash loan attacks, there are several steps that users can take to reduce their risk:
- Use reputable DeFi platforms: Stick to DeFi platforms that have a good reputation and a track record of security. Research the platform and its developers before investing any funds.
- Be cautious with new projects: Be wary of new DeFi projects that have not been thoroughly tested or audited. New projects are often more vulnerable to exploits than established ones.
- Diversify your holdings: Spread your cryptocurrency holdings across multiple DeFi platforms and cryptocurrencies to reduce your exposure to any single risk.
- Keep up to date with the latest security developments and news in the cryptocurrency industry. Join online communities and forums to stay informed about potential risks and vulnerabilities.
As more attacks keep occurring, security experts are learning more about various flash loan exploits. By leveraging the security features and expertise provided by ECOS, DeFi platforms and applications can better protect themselves against flash loan attacks and other types of security threats this is how blockchain works. This, in turn, can help build greater trust and confidence in the DeFi ecosystem, making it a more attractive and viable alternative to traditional financial systems.
Overall, while flash loan attacks will likely continue to be a challenge for the DeFi ecosystem, ECOS represents a promising solution that can help mitigate these risks and ensure the long-term sustainability and growth of the DeFi ecosystem.