Flash loans have become increasingly popular in the world of decentralized finance (DeFi) in recent years. They are a type of loan that allows borrowers to borrow and repay funds within the same transaction, without the need for collateral or a credit check.
However, while they can be a useful tool for certain financial transactions, they can also be used in a malicious way known as a flash loan attack.
What are Flash Loans?
Flash loans are a type of uncollateralized loan that allows borrowers to borrow funds for a short period of time, typically a matter of seconds. The loan is repaid in full within the same transaction that it was borrowed, without any collateral or credit checks required.
This type of loan is made possible by smart contracts, which are self-executing contracts with the terms of the loan encoded into them.
Flash loans have become popular because they allow traders to quickly and easily take advantage of arbitrage opportunities across different DeFi protocols. For example, a trader might use a flash loan to borrow funds from one DeFi platform, use those funds to buy an asset on another platform where the price is lower, and then immediately sell that asset on a third platform where the price is higher, and repay the loan, all in the same transaction.
However, while flash loans have many legitimate uses, they can also be used in a malicious way known as a flash loan attack.
What is a Flash Loan Attack?
A flash loan attack is a type of exploit that takes advantage of the fact that flash loans are uncollateralized and do not require a credit check. In a flash loan attack, a hacker borrows a large amount of funds through a flash loan and uses those funds to manipulate the price of an asset on a DeFi platform.
It typically follows three steps:
- Borrowing: The attacker initiates a flash loan by borrowing a significant amount of cryptocurrency from a DeFi platform that supports flash loans.
- Execution: The attacker may use the borrowed funds to execute large buy or sell orders on decentralized exchanges, creating artificial price movements to their advantage.
- Repayment: At the end of the transaction, the attacker repays the flash loan, returning the borrowed funds along with any fees.
To illustrate, the attacker creates a large number of buy or sell orders for the asset, creating the illusion of high demand or supply, and then cancelling those orders after the price has been manipulated. This can cause the price of the asset to rise or fall sharply, which the attacker can then profit from by buying or selling the asset on another platform.
Flash loan attacks have been used to steal millions of dollars from DeFi platforms in recent years, and they are a major concern for the DeFi ecosystem.
A few months ago, on February 16, 2023, the Platypus Finance project experienced a Flash Loan attack that resulted in a loss of $8.5 million. Unfortunately, this is just one of many similar incidents that have occurred. In 2021 alone, Flash loan attacks extracted a staggering $364 million from various DeFi platforms.
Common Flash Loan Attack Vectors
Malicious actors can utilise several different avenues to make away with a quick profit. The specific actions depend on the attacker’s goals, but some common strategies include:
The attacker identifies price discrepancies between different exchanges or markets and exploits them to make a profit. This involves swiftly buying an asset at a lower price on one exchange and simultaneously selling it at a higher price on another exchange, capitalizing on the temporary price difference before it normalizes.
Attackers use flash loans to artificially manipulate the value of a cryptocurrency, either by inflating or deflating its price. This malicious action can have detrimental consequences for traders who have made buying or selling decisions based on manipulated prices, resulting in substantial financial losses.
Manipulating token balances
By exploiting vulnerabilities in smart contracts, the attacker can manipulate token balances or exploit flaws in trading algorithms to their advantage. This could involve exploiting improper input validation or unchecked external calls within the smart contract code, allowing the attacker to manipulate token balances, artificially inflate their holdings, or even drain funds from the contract.
The attacker leverages reentrancy vulnerabilities to repeatedly call back into the same smart contract, exploiting its logic to drain funds or manipulate balances. In a reentrancy attack, the attacker deliberately creates a recursive loop that allows them to repeatedly enter and exit the same function within the contract, exploiting the contract’s design flaws to drain funds or manipulate token balances with each iteration of the loop.
Why Are Flash Loan Attacks So Common?
Flash loan attacks have become increasingly common in the decentralized finance (DeFi) ecosystem. Here are some of the reasons why:
Cheap and Easy to Execute
Flash loan attacks are the cheapest and easiest type of DeFi attack to execute. All that is required is access to a liquidity pool and a substantial amount of collateral, which can be borrowed with no collateral due to the nature of flash loans. This means that almost anyone can attempt a flash loan attack, as long as they have access to the necessary resources.
Price Manipulation and Arbitrage Opportunities
Flash loan attacks are often carried out to manipulate the price of a cryptocurrency asset on one exchange before quickly selling it on another. Because there are so many exchanges around the world, determining a single true price for digital crypto assets is nearly impossible, which creates pricing disparities that can be exploited.
Flash loan attacks have become increasingly common due to their potential for high profits. Attackers have been known to make millions of dollars in profits from these attacks. For instance, on March 13, 2023, Euler Finance fell victim to a flash loan attack, which resulted in a staggering loss of $196 million, making it one of the largest flash loan attacks recorded to date.
The lure of such significant profits has led to a rise in the number of flash loan attacks, and this trend is likely to continue in the future.
Vulnerabilities in Smart Contract Security
Flash loan attacks exploit vulnerabilities in smart contract security. Smart contracts are digital agreements that are anchored on a blockchain network, and they are used extensively in DeFi protocols. These contracts can have coding errors or other weaknesses that attackers can exploit to carry out flash loan attacks, especially if they are unaudited.
Flash Loan Attack Case Studies
Platypus Finance ($8.5 Million)
On February 2023, the Platypus Finance project on the Avalanche network was hit by a flash loan attack, resulting in a loss of $8.5 million. The attacker borrowed 44 million USDC from Aave and used it to stake and borrow more funds from the PlatypusTreasure contract. They then called the emergencyWithdraw function of the MasterPlatypusV4 contract to withdraw the staked lp tokens, despite not repaying the borrowed funds.
This allowed the attacker to directly withdraw the stake. The vulnerability was caused by a logic issue in the emergencyWithdraw function, which did not check the user’s status in repaying their borrowed funds.
Euler Finance ($196 Million)
In March 2023, Euler Finance, a lending protocol, experienced a flash loan attack resulting in a loss of approximately $196 million, making it the largest hack of 2023. The attacker exploited a vulnerability in the donateToReserves function of the Etoken, allowing them to generate profit by executing multiple calls with different currencies.
While Euler Finance managed to negotiate the recovery of the tokens from the attacker, the $196 million flash loan attack on the platform serves as a stark reminder of the inherent risks associated with flash loan attacks. It emphasizes the need for DeFi projects to prioritize security and adopt rigorous security measures, including regular vulnerability checks, to minimize the potential for similar attacks in the future.
Alpha Homora Protocol ($37 Million)
Alpha Homora, a leveraged yield farming protocol, was targeted in the largest flash loan attack of 2021, resulting in a loss of $37 million. The hacker used Iron Bank, a lending platform from Cream, to repeatedly borrow sUSD through Alpha Homora’s dapp. Each time, they doubled the amount borrowed and lent the funds back into Iron Bank to receive cySUSD in return.
They then used sUSD obtained from a flash loan to repay the loan and lend to Iron Bank, enabling them to borrow and lend more of them and receive more cySUSD. By repeating this process many times, they stole large amounts of cyUSD and used it to borrow other cryptocurrencies from Iron Bank, such as WETH, USDC, USDT, and DAI.
How Can We Prevent Flash Loan Attacks?
There are several ways to prevent flash loan attacks from being successful.
One of the most effective is to implement circuit breakers, which are automated mechanisms that halt trading on a platform if certain conditions are met, such as a sudden drop in liquidity or a large price movement. Circuit breakers can prevent flash loan attacks by preventing large price movements from occurring, which can make it more difficult for attackers to manipulate the price of an asset.
Limit Transaction Sizes
Restrict the maximum loan amount or borrowing limits for flash loans. By imposing limits, the potential impact of an attack can be mitigated, as the attacker’s ability to manipulate large amounts of funds within a single transaction is significantly reduced.
Risk Assessment and Monitoring
Continuously assess the risks associated with flash loan attacks. Stay updated with the latest attack vectors and vulnerabilities. Implement monitoring systems to detect abnormal behaviour or suspicious transactions within the platform.
Secure Smart Contract Development
Follow best practices for secure smart contract development, such as using well-audited libraries, implementing input validation and sanitization, and avoiding unchecked external calls. Employing formal verification techniques can also help ensure the correctness of the contract code.
Implement Time Delays
Introduce time delays or cooldown periods before allowing borrowed funds to be used in certain transactions. This can provide an opportunity for manual review or intervention if suspicious activity is detected.
Conducting thorough security audits of smart contracts and protocols to identify vulnerabilities and potential attack vectors is also an excellent way to prevent potential flash loan attacks. Independent security firms or specialized auditors can review the code and suggest improvements to make it more resilient against flash loan attacks.
Flash loans have become an important tool in the DeFi ecosystem, but they can also be used in a malicious way through flash loan attacks. To prevent these attacks, DeFi platforms must implement effective security measures, such as circuit breakers and regular audits, to ensure that their users’ funds are safe. While flash loan attacks are a major concern, with proper precautions and best practices, the DeFi ecosystem can continue to grow and evolve in a safe and secure way.
If you want to make sure that your projects are secure and protected from potential flash loan exploits, our team would be happy to learn more about your project and your specific needs, and ensure that your project is as secure as possible.
Stay up to date with the latest news and insights on Blockchain and Web3 security by following us on Twitter @numencyber.