According to a recent report, flash loan attacks are on the rise. What are they, and what are the risks?
Imagine being able to take out a loan of almost unlimited size without putting up any collateral. There’s only one catch. You have to pay it back almost instantly. Sound strange? It probably does. But that is exactly what a flash loan is. As the name suggests, these loans take place almost instantaneously. (Think the DC Comic superhero, The Flash, who can travel at the speed of light.)
A recent report by De.Fi suggests that flash loans are on the rise and bad actors make use of them in an increasing number of exploits. In Q1 of this year, $200 million was lost through this style of exploit.
But why would someone want to take out a near-instantaneous loan? Well, like many things in crypto, it comes down to good returns.
Flash Loans and Flash Loan Attacks Explained
The logic of flash loans relies on arbitrage, the process of taking advantage of small price differences. Unlike other kinds of loans, flash loans do not require a lengthy approval process, so they can be executed quickly. “Given the low fees involved in the one-transaction loan, there is a huge potential for high returns,” explained Artem Bondarenko, Software Architect at De.Fi, in an interview with BeInCrypto. “For creditors of a flash loan, there are no risks as the loan gets returned right away. Otherwise, the transaction fails.”
In traditional finance, there is nothing exactly like a flash loan. It’s similar to a call option but with some significant differences. With a flash loan, you can use the borrowed money right away, while with a call option, you need to wait. Also, in traditional finance, transactions usually happen one at a time, whereas with flash loans, they happen in blocks. However, these short-term instruments are not completely without a downside, as De.Fi’s report outlines.
“A flash loan attack takes place when someone is able to borrow a huge amount in one place and use it to manipulate prices by buying or selling in large quantities, thereby influencing the price of an asset,” said Bondarenko. “Then using that change in price to exploit the opposite buying or selling on another side, creating arbitrage between prices in the two places, then repaying the original loan and pocketing the difference.”
“If the liquidity protocol is properly designed with the right pricing oracles, this shouldn’t be an issue, but in cases where the design is poor, it’s a vulnerability that can be exploited and lead to a mass liquidation event,” Bondarenko added.
Who Are the Victims?
Flash loans are attractive to attackers because they allow for borrowing large sums of cryptocurrency without providing collateral. To prevent such attacks, better security measures such as code audits and robust smart contract design can be implemented, and awareness of potential attack vectors can be raised within the DeFi ecosystem.
On March 13th, Euler Finance, a well-known Ethereum-based lending protocol, was hacked, and the attacker stole millions of dollars worth of different cryptocurrencies, such as Dai, USDC, Staked Ethereum, and Wrapped Bitcoin, by executing multiple transactions.
The total amount stolen was almost $196 million, with $8.7 million in Dai, $18.5 million in WBTC, $135.8 million in StETH, and $33.8 million in USDC.
The attacker moved the stolen funds from Binance Smart Chain to Ethereum using a multichain bridge, then conducted the flash loan attack. They deposited the stolen funds into Tornado Cash, a well-known crypto mixer, to complicate recovery efforts and conceal their identity.
The month before, on February 16, Platypus Finance, an automated market maker, suffered a separate flash loan attack. The attacker stole $8,500,887 worth of stablecoins, including USDC, USDT, BUSD, and DAI.
In this case, the attacker took advantage of a vulnerability in the USP solvency check mechanism. In the process, the attacker secured a flash loan of 44,000,000 USDC, then swapped it for 44,000,000 Platypus LP-USD. They then minted 41,700,000 USP tokens without cost, which got swapped for various stablecoins.
Platypus Finance has been collaborating with third-party services to freeze the stolen assets, and some have already been frozen. The malicious contract was removed and additional security measures implemented to prevent future attacks. However, the attacker managed to transfer some of the stolen funds.
How to Reduce the Risks?
In one way, Flash Loans are one of the great equalizers of crypto. They allow traders with less capital to engage in high-reward trades that would usually only be open to so-called Whales. “But as we’ve seen numerous times, flash loans also pose a big risk for DeFi protocols that don’t account for such things,” Adrian Hetman, Tech Lead of the triaging team at Immunefi, told BeInCrypto.
“Protocols shouldn’t only protect themselves against possible flash loan-enabled attacks but also from Whale attacks, i.e., what would happen if big players suddenly used their massive funds to use our protocol? Would the system behave as intended? What is our ‘intended’ business flow?” Hetman continued. “Threat modeling would help reveal potential weaknesses of the system.”
“Using Time-Weighted Average Price (TWAP), oracles can help minimize price manipulation by averaging prices over a specific time period, making it more difficult for attackers to manipulate prices in a single transaction. Additionally, implementing multi-oracle systems can provide redundancy and cross-checking for price data, further strengthening defenses against manipulation,” Hetman added.
By implementing circuit breakers, flash loan attackers can be prevented from profiting from manipulated prices when significant price swings are detected, explained Hetman. “Once the cause of the price swing is identified and addressed, trading can resume. This needs to include potential valid trades that may only seem as suspicious from the outside.”
“It’s also important not to allow major protocol actions to happen over only one block. Flash loans, most of the time, only can be taken in one transaction for one block,” Hetman added.
Disclaimer
Following the Trust Project guidelines, this feature article presents opinions and perspectives from industry experts or individuals. BeInCrypto is dedicated to transparent reporting, but the views expressed in this article do not necessarily reflect those of BeInCrypto or its staff. Readers should verify information independently and consult with a professional before making decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.