What Is Defi Flash Loan & How to prevent the Flash Loan Attacks ?

What Is Defi Flash Loan & How to prevent the Flash Loan Attacks ?

By CryptoWise | CryptoWise | 30 Jun 2021


Defi platforms are all poised to replace all the banking services, but having said that they are still vulnerable to security attacks and market manipulation, due to the decentralization fabric. Let's explore Flash loans today and try to decode its pros & cons 

1*Jp9W4dTEQOYwmg6jzO-E8w.jpeg

I feel:

“Decentralized finance magic has just begun and here to stay, so if you are one of those early adopters of Defi projects & coins, do remain patient and keep doing your homework in picking up its multiple-use case to earn some extra cash. As Defi is still vulnerable to many hacks and security breaches so that extra bit of caution will keep its magic intact”

Today we will learn about one more cool Defi offerings termed Flash loans & also understand the use case along with the associated risk factors one should be aware of.

We will cover this Defi flash loan journey learning the following stuff:

  • What Is Flash Loan?
  • What are the key attributes of Flash Loans?
  • How To Use Flash Loans?
  • What Is Flash Loan Attack & How Does It Work?
  • How To Secure Yourselves From Flash Loan Attack?
  • Closing Remarks & Summary

What Are Flash Loans?

1*V_rfIhS7NjC4jLVMl4VNFA.png source: hackingdistributed

In the crypto Defi space, the flash loan is one very unique instrument of trading where users can borrow an unsecured loan from the lender without any third-party intermediary. The smart contract governs the transactions and ensures that the transaction only gets executed when all the set rules given in the contract have strictly adhered to.

In our traditional banking system, loans fall under two category secured & unsecured, secured loans required the user to attach some kind of security as collateral but in the case of the unsecured loan, collateral is not required, loan gets sanctioned based on your past CIBIL/CRIF score, which takes your past records of paying back loans into consideration.

Similarly, an unsecured flash loan works for you where certain rules are pre-decided and if it is obeyed then only your loan transaction gets through

Unique Characteristics Of Flash Loans You Should Be Aware Of:

Driven By Smart Contract Rules:

Smart contract a blockchain software encompasses all the rules required to facilitate flash loan transactions. The smart contract ensures that no handshake gets completed happens until the borrower has paid back the loan before the transaction ends.

What if Borrower Defaults?

If the borrower defaults the smart contract reverses the transaction which means the loan never happened in the first place.

It’s quick & Instant :

As it is clear from the term Flash which signifies something which pops up & stays for a short duration, that which is instant. Similarly, the flash loan is instantaneous, the loan seeker has to use smart contracts to perform instant trades against the loan lent by the lender, this trade has to happen before the transaction ends, which usually stays for few seconds.

It is collateral Free(unsecured instrument):

As we have already discussed a flash loan is a kind of unsecured loan where no security is needed on the part of the borrower, to seek a loan. having said that it is collateral-free, we have to understand that it doesn’t mean that lender will not get back his lent amount.

It does happen by the use of a smart contract where Instead of offering collateral, the borrower has to pay back the money instantly before the contract expires

So to summarize:

Flash loan has a very little lifespan and all the lending-borrowing has to happen in that short duration before it expires like a flashlight

Why Flash Loans Are Used?

I feel:

At the outset, this instrument does offer you a a cool tool, to make some handsome gains if you are well versed in the game of arbitrage trading. For newbies, it may look somewhat overwhelming to use, so it is recommended that until you understands the crypto market fully and have gain sufficient experience, you should refrain from using this tool

So let’s discuss some of the popular use cases of Flash Loans,

Arbitrage Trading:

Different exchanges in the crypto universe do have some price difference of (1–3 %)for the same token/coin being traded, due to time zone difference and trading volume and order books. These price discrepancies across different exchanges open up a small window for traders to generate profits quickly. This mechanism is termed arbitrage trading.

These traders make use of this flash loan tool to leverage & buy the coins at a low price from one exchange and sell it at a higher price on another exchange, thus generating some quick profits and pays back the loan. All these happen in a very short window of time to make arbitrage effective & yes this can be a little risky too, so a little caution is required.

Swapping collaterals:

Flash loans are also utilized by traders to swiftly swap the low-quality collateral which is backing the loan in concern with some other high-quality collateral.

To Save Transactions Fee:

Since flash loan rollout aggregates all the complex transactions into one single step, which generally goes through multiple steps in normal transactions, the Gas fee required is quite at the lower side. Son traders can also save some Gas fees using flash loan utility to buy & sell concerned digital coins/tokens.

Now that you have digested what is a flash loan and how one can benefit from it. It is extremely important to understand the negative side of it. Flash loan may look quite alluring and rosy to start with, but beware it is not free from security vulnerabilities.

Let’s discuss what are those security issues and how one can tackle the same

Risk Associated With Flash Loans:

“Your greatest strength sometimes also becomes your greatest weakness”

Flash Loan Attacks:

Flash loan's strength lies in the smart contract software and the same smart contract is also its biggest weakness. This smart contract is vulnerable to one very prominent & common security attack termed, “Flash Loan Attacks

What Is Flash Loan Attack & How Does It Work?

Suppose Angela wants to borrow $20,000 worth of USDT, a lending protocol supporting flash loan instantly provides it to Angela without any collateral, but now Angela has the obligation to pay back the same before the flash loan transaction gets over. In order to do so, Angela has to act fast as debt has to be paid back to the lending protocol on time before the transaction is reversed.

As collateral was not required and lending protocol completely relies on smart contract to ensure angela pays it back, is where the loophole exists, What if that software starts misbehaving due to some bug? Or the rules are manipulated by the intruder and the agreement gets tampered with. This exploitation of blockchain software where the smart contract gets gamed leads to an attack on the flash loan protocols and is often known as a Flash loan attack.

Let’s further understand this attack on flash loans by some real-world incidents which have happened in the past

Some Popular Flash Loan Attack Incidents :

  1. dydx Flash loan attack :

This incident occurred in the year 2020, where attacker borrowed ether flash loan from dYdX lending DApp (Defi exchange ), bifurcated this loan amount into two parts and traded it on two different lending platforms named Compound & Fulcrum

The attacker used a portion of Ethereum loan to short it against WBTC on the Fulcrum exchange which triggered Fulcrum to acquire this WBTC by relaying this info to another Defi protocol named Kyber, which eventually fulfilled the order request using Uniswap DEX. As Uniswap's liquidity pool had very low liquidity at that point of time, the price of WBTC rose significantly, meaning that Fulcrum eventually overpaid for the WBTC it purchased.

Meanwhile, when the Fulcrum transaction was taking place, the attacker leveraged the remaining dYdX loan amount to a borrow WBTC as flash loan from the Compound Defi platform, as soon as the price shot up, the attacker flipped the borrowed WBTC on Uniswap and made some healthy profit and used the same to repay the taken from dYdX and pocketed the reaming ETH.

This incident highlights the clear vulnerability of our smart contract protocols, which in this case happened to be bZx protocol used by Fulcrum. By engaging in multiple transactions with 5 different Defi protocols, the attacker was able to trick bZx protocol into thinking that WBTC was worth a lot more than it actually was. This is a pure market manipulation without actually breaching the smart contract rule of paying back the loan before the flash loan transaction came to closure.

PancakeBunny Attack:

This is the recent incident that happened on May 2021 at PancakeBunny: A Defi-based Yield Farming platform. The borrower(attacker ) used PancakeSwap to purchase a large chunk of BNB tokens and used it to manipulate the price of USDT/BNB and BUNNY/BNB in PancakeBunny’s liquidity pools.

This helped the attacker to accumulate a large chunk of BUNNY token, which was dumped on the market to create a price crash. This helped him to clear his debt using PancakeSwap.

As per bscscan data, it was reported that the attacker gamed the flash loan smart contract protocol to amass nearly $3 million in profits

In fact, there have been many more flash loan attacks in 2020 and 2021 which highlights the existent loopholes in our lending protocols supporting flash loans as a service. So how can one protect their har earned money from such malicious attacks?

How DeFis Can Safeguard Themselves From Flash Loan Attacks?

Flash loan concept is still not matured and is hardly 2 years old, and so their protocols are yet to become robust and fully sanitized to all these tricks and manipulations. But yes one can take some preventive measures to overcome this issue to some extent if not fully. Let s explore the same.

Using Decentralized Pricing Oracles Like Chainlink & Band Protocol:

One optimal way Defi’s can mitigate this flash loan attack is by making use of decentralized pricing oracles like Chainklink and Band Protocol to fetch price feeds instead of relying on a singular DEX platform (which is vulnerable to attacks )

Alpha Homora learned from his past flash loan attack incident and decided to launch their Alpha Oracle Aggregator last May2021.

Using Tools Which Can Identify Flash Loan Attack Possibility:

Flash loan attackers make use of the delay which is caused by the Defi platform to honor the transactions, what is any tool that can help you prevent this loop exploitation, yes there are some tools like OpenZeppelin

OpenZeppelin Contracts helps you minimize risk by using battle-tested libraries of smart contracts for Ethereum and other blockchains. It includes the most used implementations of ERC standards.

Defi platforms can leverage such kinds of tools to detect smart contract bugs & exploits and also trace any unusual activity so that a proactive defense mechanism can be taken to neutralize attacks.

Openzepplin is being already employed by Synthetix, Yearn Finance, and Opyn blockchain projects to single out such attacks.

“Many more tools similar to OpenZeppelin are being developed and will be needed and as more attacks get identified more secure this Defi platform will become with time passing by. Till then as a user exercise your trade with that extra bit of caution of in-depth research about the platform you have decided to use. ”

Let’s Sum-up :

“AAVE led the race by offering this unique money-making instrument and many others like UniSwap and other Defi projects followed the suit. This instrument in itself is still not mature and will take another 4–5 years to become more secure, reliable, and trustworthy. So as a wise user or trader do your homework and factor in the associated risk before engaging in your first flash loan trade.

I feel:

If your intention is to make some extra bucks, definitely you should leverage it, but being extremely greedy may expose you to some unwanted risks and series of events which may work against you ”

Disclaimer!

Opinions expressed here at CryptoWise are not investment advice and are only for educational purposes. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency, or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility

Note!

This article was originally  published on my Medium account,  here is the link for the same

https://medium.com/crypto-wisdom/what-is-a-defi-flash-loans-flash-loan-attack-c130c83d9811

 

How do you rate this article?


168

1

CryptoWise
CryptoWise

On a mission to educate one and all about crypto and blockchain technology


CryptoWise
CryptoWise

Get educated about blockchain and crypto projects and concepts with the simple to understand content

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.