Staking basics

What is Flash Loan Attack

Zainab Saberi

Aug 5, 2023 • 8 min read

Flash loan attacks target DeFi platforms' smart contracts, where an adversary secures a hefty loan without any collateral. This attacker then artificially influences the token or asset's market price on one platform and capitalizes on this manipulation by selling on another platform.

Over the recent years, the DeFi sector has witnessed a surge in these low-cost, highly prevalent flash loan attacks. When the attacker seizes the loan, an "engineered sell-off" ensues, dramatically impacting the value of the assets involved. Not just limited to this sell-off technique, attackers employ multiple cunning tactics to tilt the market to their advantage. Their speed in executing these attacks enables them to sidestep numerous DeFi security measures.

The rapid and straightforward accessibility to flash loans has amplified the occurrence of these attacks. In such breaches, malevolent entities exploit the fleeting liquidity from flash loans, manipulating market values or illicitly redirecting funds, resulting in significant financial setbacks for individual stakeholders and the entire DeFi platforms.

Also Read: Private Vs Public Key

What are Flash Loans?

In the realm of decentralized finance (DeFi), flash loans are gaining immense traction, serving as a conduit for instant, collateral-free capital for both individuals and corporations. In essence, flash loans allow users to secure funds that are promptly repaid to the origin platform within the span of a single transaction block.

Yet, the very ease and swift nature of accessing these funds have also opened doors for a surge in flash loan attacks. Malevolent actors exploit the short-lived liquidity these loans offer, manipulating market dynamics or making unauthorized fund transfers. The aftermath of such attacks is often catastrophic, translating to immense financial losses for individuals and the broader DeFi entities.

Originated by Aave, flash loans are loans governed by smart contracts that don't demand any collateral. Historically, loans have been bracketed into two categories: secured and unsecured. Secured loans are characterized by the need for collateral, undergoing credit scrutiny, and having established borrowing ceilings. So, the reason that the flash loan exists and cannot be collateralized is due to the fact that these loans are meant to be rapid with the same transaction. Flash loans epitomize the unsecured category and are exclusively birthed in the DeFi ecosystem.

Also Read: Blockchain Network Congestion

How Flash Loan Attacks work in Defi?

Flash loan attacks harness the transient liquidity from flash loans to adjust the price of a cryptocurrency, target vulnerabilities in a DeFi smart contract, or illicitly divert funds from a given protocol.

To initiate a flash loan attack, an assailant usually undertakes the following three steps:

1. Borrowing: The assailant procures a flash loan from a DeFi platform, borrowing a hefty amount of cryptocurrency without the need for collateral.

2. Manipulating: With the borrowed currency, the assailant either alters the price of a particular cryptocurrency or takes advantage of a flaw in a DeFi smart contract.

3. Repaying: The assailant settles the flash loan, always within the confines of the same transaction, ensuring the borrowed assets are returned to the original lending source.

The cornerstone of a flash loan attack's effectiveness is the prompt repayment of the loan within the same transaction. This approach lets the assailant exploit momentary liquidity without any collateral, making it an uphill task for lending platforms to safeguard against these maneuvers.

Suppose an assailant aims to capitalize on a loophole in a DeFi smart contract to extract funds. First off, they secured a flash loan of 1200 ETH (valued roughly at $2.1 million at this juncture) from a lending body. They then channel 700 ETH to buy a cryptocurrency that shows a pricing disparity between two exchanges.

Assuming the cryptocurrency ABC shows mispricing: on exchange X, it’s trading at 1 ETH = 15 ABC, while on exchange Y, it commands a rate of 1 ETH = 18 ABC. The assailant employs the 700 ETH to obtain 10,500 ABC on exchange X (where it's cheaper) and swiftly trades the 10,500 ABC on exchange Y (where it's pricier) raking in 735 ETH.

Cumulatively, the assailant amasses 1435 ETH—melding the initial 700 ETH with the 735 ETH from the favorable trade. They subsequently repay the 1200 ETH flash loan, settling any auxiliary fees, and the net gain stands at a cool 235 ETH.

A flash loan arbitrage attack is a method that capitalizes on price variations between disparate exchanges to secure gains. While arbitrage itself doesn't have malicious undertones—many utilize flash loans for rightful reasons—the problem arises when these loans are employed to siphon funds by targeting a weakness in a DeFi Smart contract.

Also Read: Blockchain and Web3

Flash Loan Attack Types

This is merely one representation. A genuine flash loan attack can manifest in various ways, influenced by the specific weakness or manipulation technique in play.

Price manipulation: Through flash loans, individuals can intentionally surge or diminish the value of a digital currency. This act can precipitate severe losses for those who base their trades on these tampered prices.
Arbitrage Attackers: By utilizing flash loans, these culprits can harness the price differences present between distinct decentralized exchanges (DEXs) to carry out arbitrage transactions. Although not always malevolent, this can lead to potential losses for bona fide traders.
Smart contract exploits: Flash loans can be weaponized to exploit DeFi smart contract vulnerabilities, like reentrancy issues or integer overflow glitches. This might enable them to pilfer funds or initiate other malicious acts.

Significantly, it's vital to recognize that the majority of flash loans aren't weaknesses by default. Culprits use them to rapidly amass vast amounts, causing substantial disturbances in the affected systems.

Also Read: Advantage and disadvantage of blockchain technology

Examples of Flash Loan Attacks

The PancakeBunny Attack [July 2023]

2023 witnessed a grievous attack on the BSC-backed yield farming aggregator platform, PancakeBunny, causing the token value to plummet by a staggering 96%. The assailant borrowed a vast sum of BNB through PancakeSwap, manipulating the USDT/BNB and BUNNY/BNB trading pair prices. The malicious act resulted in the hacker absconding with an amount close to $3 million. But the repercussions were even graver, nearing a $200 million loss due to the token's decline.

Euler Finance $197m (March 2023)

Euler Finance's mistake in rate calculation on its platform led to one of the most substantial breaches. Users of Euler Finance primarily deal with eTokens (as collateral) and dTokens (signifying debt). The assailant exploited a glitch in the eToken function, leading to a flawed conversion of borrowed to collateralized assets. With aid from Tornado Cash and a $30 million flash loan from Aave's DeFi protocol, the hacker masterfully executed their scheme, leaving Euler lighter by approximately $197 million across various cryptocurrencies. EUL, Euler's native token, also faced a sharp 45% drop.

Also Read: Type Of Blockchains

Cream Finance $130m (October 2021)

CREAM Finance encountered a catastrophic breach in October 2021, incurring a loss of more than $130 million. The assailant's strategy revolved around the yUSDVault of CREAM. The meticulously planned attack involved significant minting of crYUSD tokens and subsequent flaw exploitation to amplify these tokens' apparent worth. A sophisticated loop of deposits and withdrawals using MakerDAO, AAVE, and Curve eventually allowed the attacker to siphon off assets amounting to $130 million from CREAM.

bZx $1m (November 2021)

November 2021 saw bZx falling victim to a complex two-tiered attack. The primary flaw during the first strike revolved around BZx's dependency on a lone oracle for pricing. This was leveraged by the hacker who, using a flash loan, tampered with the collateral pool. The subsequent attack revolved around BZx's use of the Uniswap price as an oracle. By manipulating it, the attacker could unduly borrow more ETH. These breaches spotlighted the platform's Achilles' heel, costing it over $985K and underscoring the necessity for robust security and multiple reliable price determination sources.

Also Read: What Is A Dao

Strategies to tackle Flash Loan Attacks

In light of previous instances, a consolidated set of techniques to shield against flash loan attacks can be detailed. Implementing reentrancy guards is vital in averting unanticipated contract interactions. It's crucial to adopt sound access control tools, for instance, the OpenZeppelin's Ownable, to confine vital operations. When devising contracts, utilizing tried-and-true libraries and frameworks, like OpenZeppelin, is recommended.

Given that these attacks stem from external smart contracts, an astute approach would be to confirm the addresses permitted to activate flash loan features. It's essential to ascertain that external contract engagements are genuine and safeguarded, concentrating interactions strictly with verified contracts.

It's of paramount importance to invest in meticulous third-party smart contract inspection and validation. Undertake exhaustive tests to pinpoint possible weak points and partner with esteemed audit enterprises for an in-depth evaluation of your agreements.

Leverage multiple oracles to access the most accurate and protected price data, bearing in mind the potential susceptibilities of some oracles. Deploying time-weighted average price (TWAP) strategies can drastically curtail hazards associated with price tampering.

Make it a habit to continually update yourself with the latest DeFi security methodologies and reports on vulnerabilities.

Are Flash Loans entirely without risks?

Committing illicit acts always comes with certain perils. Yet, think about orchestrating a bank heist without the obligation to be present at the bank site. This roughly encapsulates the mindset of those who initiate flash loan attacks. The past eighteen months have showcased how effortless it can be to illicitly extract funds from DeFi setups.

Remarkably, up to this moment, no individual behind a flash loan assault has been apprehended, especially in recent times. This can be attributed to the fact that most culprits vanish without leaving any footprints, courtesy of the inherent traits of permissionless networks and the availability of identity-cloaking utilities like Tornado Cash.

Also Read: Smart Contracts

Is there an end in sight for flash loan attacks?

Much like the myriad malevolent breaches in the crypto realm, it's improbable that flash loan attacks will cease. Nonetheless, strategies can be conceived to diminish their potential impact.

Crafting and launching sophisticated detection mechanisms might revolutionize the defense mechanisms for DeFi platforms. Such apparatuses are adept at spotting irregularities within a protocol swiftly, alerting the developers' posthaste.

Also Read: Matic Bridges

Frequently Asked Questions [FAQs]

Q: What are the risks and potential consequences of a flash loan attack?

A: Flash loan attacks present an immediate threat to the liquidity and stability of DeFi protocols. If successfully executed, they can lead to substantial financial losses for the platform and its users. Additionally, they can erode trust in the affected DeFi system, potentially leading to diminished user adoption and negative market sentiment.

Q: How can DeFi developers prevent and mitigate the risk of flash loan attacks?

A: DeFi developers can reduce the risk of flash loan attacks by conducting thorough smart contract audits and implementing strong security practices. It's essential to stay updated on emerging vulnerabilities and to collaborate with the wider crypto community. Implementing time delays for certain contract actions and ensuring the use of oracles with proper data verification can also be deterrents.

Q: How can users protect themselves from flash loan attacks?

A: Users can protect themselves by only engaging with well-established and thoroughly audited DeFi platforms. They should be wary of platforms promising unusually high returns, as these can sometimes be indicative of underlying vulnerabilities. Regularly monitoring the security updates of the platforms and using wallets with multi-signature functionalities can further enhance protection.

Q: What are the regulatory and legal implications of flash loan attacks in DeFi?

A: Flash loan attacks have brought regulatory scrutiny to the DeFi space. Regulators may view such attacks as evidence of inadequate security measures, potentially leading to increased regulation or oversight. The legal implications can vary by jurisdiction, but affected parties might pursue legal actions against the attackers or even the platform, depending on local laws.

Q: How do flash loan attacks impact the overall security of the DeFi ecosystem?

A: Flash loan attacks underline the vulnerabilities present in the DeFi ecosystem. They can shake the confidence of both users and investors, leading to potential withdrawal from platforms and reduced investment. The attacks can also act as a catalyst, pushing developers to prioritize security over rapid innovation.

Q: What are the potential long-term effects of flash loan attacks on DeFi adoption and innovation?

A: In the long term, flash loan attacks might slow down the rate of DeFi adoption, as new users may be hesitant to trust the ecosystem. However, it could also drive the industry towards creating more robust and secure protocols, prioritizing user safety over rapid feature deployment. Properly addressing these attacks can enhance DeFi's credibility and resilience.

Q: How can DeFi protocols improve their security measures to prevent flash loan attacks?

A: DeFi protocols can ramp up their security by consistently engaging with reputable third-party auditors to examine their code. They should also establish bug bounty programs to incentivize the discovery and reporting of vulnerabilities. Continuous learning, staying updated on the latest attack vectors, and fostering a culture of security-first can significantly bolster defenses against flash loan attacks and other security threats.