What is a Flash Loan Attack and How to Avoid It?

Introduction

The permeation of DeFi has started to gain more traction with every passing second. TradeFi is plagued with issues on account of economic setbacks such as increasing interest rates, money supply, social restrictions, and approaching recession.

Therefore, more people are diverting to DeFi markets to draw loans at a better interest rate. To this end, the phenomenon of Flash Loans has gained popularity.

However, all DeFi users need to understand Flash Loans and one of its biggest setbacks known as Flash Loan Attacks.

What are Flash Loans?

Flash Loans are a unique type of loan contract that is specific to DeFi. It was first introduced by DeFi lending pioneer AAVE protocol. In general, there are two basic types of loans in DeFi. The first kind is collateralized loans that require the borrower to commit some amount under the custody of the lender as a guarantee.

The collateral becomes useful as a security, in case the lender is unable to return the loaned amount promptly. In traditional banking, most users are only able to draw out collateralized loans.

However, the DeFi market is not centralized or regulated. It depends on smart contracts that carry out financial functions based on conditional requirements.

Therefore, DeFi lending protocols such as AAVE can allow Flash Loans for their users. Flash Loans are mostly uncollateralized. It means that the borrower does not have to submit a specified amount in advance as a warranty.

It is possible on account of the working mechanism of the Flash Loans. It is important to note that despite the lack of collateral amount as a safety backup, the borrowers working with Flash Loans have greater security in comparison to the collateralized loans.

How does a Flash Loan Work?

A Flash Loan is not a one-way borrowing or lending transaction. It is a complete cycle of a loan based on the summation of borrowing and lending transactions at once. The lender is required to submit the details of the entire lending and borrowing cycle that is processed by a smart contract.

The smart contract runs the numbers and only carries out the transaction if it adds up. The whole process of borrowing and lending happens in one go and instantly. Therefore, Flash Loans are named accordingly.

For example, if a person wishes to generate some profits by borrowing $10 ETH and return it after generating some profits from it. The profit can be generated by spot price changes or by swapping the token through several other variants.

In the end, the borrower should be able to create some profits using their trading strategy and return the loan amount to the lender with interest. Investors tend to exchange currencies through several exchanges and trading platforms to take advantage of the interest rate changes and spot price differences to generate profits from their borrowed cryptocurrencies with Flash Loans.

The smart contract of a Flash Loan protocol only carried out this transaction, if the lender can return the borrowed amount in full.

Advantages of Flash Loans

Before discussing the drawbacks of Flash Loans, investors must take a look at their advantages:

Risk-Free Lending

When a person first hears about Flash Loans not requiring any collateral, they may think that it is very risky. However, in reality, Flash Loans are safer in comparison to traditional collateralized loans.

The smart contract that grants flash loans only approves a transaction, it can return the borrowed amount in full. Furthermore, the duration of the Flash Loans is very small. In most cases, the borrowers can get their crypto reserves back in a very smaller time duration in comparison to collateralized loans. Therefore, working with Flash Loans can be considered less risky.

Additionally, the interests of the borrowers are also secured, as they can foresee the entire transaction beforehand rather than waiting for future time gaps that can expose them to variable market factors.

Capital Efficiency

For collateralized loans, the lenders are often required to submit a collateral amount that is equal to the borrowed amount or near its full value. It can present an issue for borrowers who do not have the means to collect a massive amount for lending.

On the other hand, the investors are also under pressure to maintain a required amount of collateral value at all times. Meanwhile, with Flash Loans both borrowers and lenders are free from the hassle of worrying about monitoring collateral amount and its value. In turn, the Flash Loans can increase Capital Efficiency.

User Friendly

The Flash Loan applications are also very easy to operate and user-friendly. Even the most efficient collateralized loan protocols such as MakerDAO offer a two-step CPD return system. With this system, the borrowers must gain access to stablecoins named DAI to be able to repay their loan and reclaim their collateral amount.

With each passing day and step, the calculation to find out the total collateral amount and interest rate become more and more difficult. At the same time, the interest keeps compounding which is difficult to track.

With Flash Loans, the borrowers are free from the hassle and they can calculate the entire transaction cycle beforehand.

Risks Associated with Flash Loans

It is clear from the aforementioned paragraphs that Flash Loans are very innovative and advantageous. However, some risks are attached to Flash Loans that make them risky. One of the most talked about and discussed the threat that is attached to Flash Loans is Flash Loan Attack.

It is one of the reasons that most users steer away from Flash Loans. Another noteworthy drawback of Flash Loans is that the users require a considerable amount of expertise to successfully use the Flash Loan services.

If the users are not well-aware of the market conditions and they do not have enough information about all the available options in the crypto marketplace, they can end up making a low-level profit. Account for the same reason, it is important to take into consideration that there are tens of thousands of cryptocurrency variants available in the space.

It means that any ordinary person with the best skillset and financial training will face issues taking into consideration all the possible routes to make the best profits. Only the traders with the best and most advanced resources available at their disposal such as trading bots would be able to calculate the best outputs.

Since advanced trading tools are expensive, Flash Loans may be beneficial for a limited number of crypto traders.

What are Flash Loan Attacks?

When talking about the risks related to Flash Loans, the first issue we discussed was Flash Loan Attacks. It is because; Flash Loan Attacks are the most dangerous threat that a DeFi user can face. During a Flash Loan Attack, the borrowers on the platform stand to lose their crypto reserves.

As visible by the name, it is a type of hack attack on the DeFi lending protocol. As a result of the Flash Loan Attack, the hackers can get away with massive amounts of borrowed cryptocurrencies and they may also be able to pocket the profit returns.

However, they use the technical blind spots in the smart contract of the Flash Loan protocol such that they do not have to return the borrowed amount.

Using their programming skills, they only create an illusion of returning the borrowed amount but in reality, they steal the borrowed cryptocurrencies and make away with it. Meanwhile, the lenders are left with losses on their hands.

How does a Flash Loan Attack Work?

Flash Loan Attacks are very similar to conventional DoS (Denial of Service) Attacks. In a DoS attack, the hackers can shut down or overwhelm a server or an operating system by redirecting a flood of emails or other data traffic toward it.

In a Flash Loan Attack, the hackers are also looking to overwhelm the smart contract that is keeping a record of the entire borrowed and lent amount. It is important to keep in mind if the smart contract of a Flash Loan protocol calculates that the borrower would not be able to return their loaned cryptocurrency, it reverses the transaction automatically.

However, during a Flash Loan Attack the hackers try to flood the smart contract with a slew of trading pairs. These trading pairs are made up of tokens that intend to perform arbitrage for generating profits. The borrowers can generate profits with Flash Loans using techniques like Arbitrage.

However, hackers use it to exploit the Flash Loan smart contract by feeding with endless arbitrage transactions in massive quantities. As a result, they can generate a considerable amount of Slippage.

Slippage represents the difference between the market value and exploitable contract value of the borrowed cryptocurrencies. When the attackers can create big enough slippage, they can purchase other cryptocurrencies at discounted prices.

In this manner, they can drain the smart contract of a majority of its cryptocurrency reserves. Eventually, the hackers transfer their stolen currencies to another exchange or digital wallet. They can wash their stolen funds by trading on other exchanges.

The process of conversion of stolen currencies can be halted by the intervention of exchange authorities that the hackers are using. However, if the attackers are using self-custodial accounts they can freely launder their stolen funds from the exploited DeFi Flash Loan protocols.

The Most Notorious Flash Loan Attacks in History

The first Flash Loan protocol was introduced by the AAVE protocol which is based on the Ethereum blockchain in 2020. This lending option soon gained traction within and outside of the DeFi ecosystem.

However, hackers are always on the lookout for the latest technologies to find a weakness and take advantage of it. Therefore, hackers started to target Flash Loan protocols soon enough. Here is a detailed account of some of the biggest and most notorious Flash Loan Attacks of all time:

dYdX

dYdX is a DeFi lending platform that offered Flash Loans as early as 2020. In the same year, it was hit by one of the biggest crypto heists. The hackers were able to drain dYdX by creating massive arbitrage orders to two other DeFi protocols namely Fulcrum and Compound. Fulcrum is another decentralized lending protocol.

Hackers sent an order to Fulcrum for exchanging a massive amount of Ethereum for a WBTC token. The AMM (Automatic Market Maker) of Uniswap drove the prices of WBTC abnormally high on account of limited liquidity. The WBTC pump took place within Uniswap DEX which processed the Fulcrum order through Kyber Network.

The other part of the attack took place on the Compound. The compound is a decentralized interest-generating protocol for cryptocurrency investors who wish to generate income from their idle digital wallet reserves.

The hackers also generated an order to draw a massive WBTC loan from Compound. Since the prices of WBTC were already inflating on account of the Uniswap attack. The hackers were able to generate massive returns by selling the WBTC to the Uniswap DEX.

Cream Finance

C.R.E.A.M was hit by a major Flash Loan Attack in 2021. The total loss of the attack was estimated to be $130 million worth of cryptocurrencies. The hackers were able to steal a massive amount of Cream tokens that are used for liquidity maintenance.

However, the record of the hack was added on-chain and the cybersecurity experts are working on retracing the steps of hackers and reclaiming the stolen funds.

On the other hand, the merging partner of Cream Yearn Finance remained safe from the attack since the technical loophole allowed hackers to affect Cream only.

Just like the typical Flash Loan Attack, the hackers took the route of launching repeated Flash Loan orders until they were able to manipulate the price of the oracle. The Cream protocol received some technical aid from Yearn Finance and patched the blind spot that helped hackers.

Alpha Homora

The Flash Loan Attack on Alpha Homoro took place in 2021 and generated a loss of $37 million. The hackers, who targeted Cream Finance, also affected the Iron Bank protocol that was used as the lending wing of Alpha Homora.

Alpha Homora is a yield farming application. The hackers used the same technique of overcrowding the Iron Bank with massive Flash Loan requests. As a result, they were able to stack a gigantic amount of CreamY USD or cyUSD stablecoins.

This hack was based on several layers and consisted of a complex structure. The end goal of the hackers was to manipulate the price of a token called sUSD within the HomoraBank V2 pool.

They kept triggering Flash Loan attacks to take hold of the lending bridge between Iron Bank and HomoraBank V2. The hackers also depended on miscalculated rounded amounts of borrowed cryptocurrencies in this complex Flash Loan Attack.

What Makes DeFi Vulnerable to Flash Loan Attacks?

The DeFi users and Flash Loan applicants should study the following factors that make decentralized applications vulnerable to Flash Loan Attacks:

Flash Loan Attacks are cheap on account of their intrinsic nature. The attackers can start from ground zero without committing any type of collateral. The hackers however need to calculate their attack particulars to a tee and time their attacks with precision.

On the other hand, the execution of the attack also takes place within minutes or seconds. Therefore, there is no time to prevent it if there are no preventive measures present already.

With Flash Loan Attacks, the hackers are placed in a secure and low-risk position. They can carry out their attacks by entering the DeFi protocol under the guise of a regular user.

Furthermore, Flash Loan protocols grant the freedom for the users to remain anonymous and no need for any paperwork or online security checks. Therefore, it is considerably difficult to retrace them without technical expertise.

How to Avoid Flash Loan Attacks?

The developers have managed to come up with some technical solutions to prevent the Flash Loan Attacks. Crypto investors should look for these preventive measures ingrained in DeFi lending protocols to ensure that they are relatively safe from Flash Loan Attacks:

Flash Loan protocols can connect with decentralized oracles like Band Protocol and Chainlink. In this manner, rather the Flash Loan smart contracts will be able to check the prices of a given cryptocurrency from multiple market sources rather than just one DEX.

Some dApps such as Alpha Homora have adopted this preventive measure after getting hit by their first Flash Loan Attack.

Some DeFi applications such as DragonFly Research have suggested processing Flash Loans through two blocks instead of one as a preventive measure. However, this method is considered less effective in case the hackers end up hitting both blocks with Flash Loan Attacks or if the two-block processing mechanism is flawed.

On the other hand, the addition of two blocks can also make the Flash Loan application more complex for users.

Another important precautionary method to avoid Flash Loan Attacks is a detection program. To this end, OpenZeppelin has created and attached a detective smart contract that monitors any suspicious activities and alerts the network managers about exploits.

The detection protocol has been used by some DeFi applications such as Synthetix, Yearn, and Opyn teams.

Conclusion

Flash Loans are one of the most innovative and useful utilities to come out of the DeFi and blockchain space. However, the threat of Flash Loan Attacks can create a FUD among investors and keep them from using this network.

However, the DeFi developers are coming up with practical solutions to prevent this issue and ensure that the Flash Loans become a safe and inclusive experience for all their users.