Throughout the year we have seen the DeFi crazy explode but with them, a new phenomenon also began to appear. This new phenomenon was Flash loan attacks on different lending platforms. When I first read about it I was not that big in the whole lending game so I just kind of ignored it and said to myself "lets wait till they iron out this stuff first". Since then though I have begun to dabble in different lending pools and different DeFi that facilitate them. By doing so and seeing the attacks continue to occur I realized I needed to finally try to figure out what a flash loan attack is.
When I first began looking at these attacks to learn about them I quickly realized I needed to learn what a flash loan even was because the idea of lending out money to someone but have them pay it back in the same transaction seemed crazy to me. However, blockchain allows you to do just that via smart contracts. The basic idea is you borrow the crypto from place A where it has a low price sell it at place B with a higher price pay back your initial loan from place A and keep the difference. Initially, I had a really hard time wrapping my head around the idea that an unknown person could just borrow unlimited funds from a place without any collateral, or stuff backing the loan. Once I threw out all the information and knowledge I have about how a loan works from a bank out the window only then did this makes sense to me.
Let's pretend though that you are someone who is up to no good and just want to take the crypto you borrowed and try to make a run for it. Well luckily for the people you tried to rip off smart contracts are able to reverse the loan. I think of it as snapping back and canceling out the whole transaction so that the funds are returned to who they belonged to in the first place. How this is able to happen though is that the whole transaction happens at once. At the same time, it is being taken out it is also being paid back so in theory if the person tries to take off with the funds they won't be able to because they would not pay back the transition at the same time.
How then would it be possible for these attacks to occur? Well, the first and easiest explanation is there was an issue in the code that left the lender vulnerable to an attack like this. Any missteps in coding can leave huge swaths of contracts vulnerable and that's why having the codes audited is a big thing to help look for these errors.
These bugs that are found revolve around manipulating the price of the asset that's being targeted. In layman's terms, it's a pump and dump scheme but it just takes seconds to execute. They can also be caused by bad price data from the data oracles that leave the value in rough territory allowing manipulation to take place. By manipulating the data the person launching the attack can make it appear that the loan was fulfilled when it was not at all. They just got the number to barely work so that it went unnoticed by the computers allowing the transaction to occur. When this happens the lending platform is left empty-handed and missing the funds it lent out.
While security is continuing to increase in this realm of DeFi these attacks have kept happening. Malicious actors will continue to try and exploit this feature in the smart contracts but platforms and decentralized exchanges are trying to change that and have been making progress as the attacks are not happening all of the time given the number of lending platforms available to lend on. Hopefully, code improvements continue to be made on both ends to fix this issue and the bad price oracles are phased out or upgraded to better maintain the true price of the asset or crypto in play!