Flash Loan Attack

Publication Date :

Edited by :

Table Of Contents

arrow

What Is A Flash Loan Attack?

A Flash Loan Attack refers to an act where individuals exploit smart contracts under Decentralized Finance (DeFi) across the Ethereum network, making them vulnerable to unauthorized modifications or violations in the cryptocurrency market. Here, the attacker takes out a flash loan, uses the contract to manipulate market variables for their cause, makes a profit, and repays the loan within the same transaction.

Flash Loan Attack

Flash loans are unsecured loans that can be borrowed and settled within a single transaction. Extensive market manipulation is part of this act, as it facilitates profit-making. These loans are considered the most common DeFi attacks as they are cheap and easy to execute. The feature was introduced to give participants access to quick trades; it was also used to disempower borrowers and make it impossible for them to default on loans.

  • Flash loan attacks are DeFi attacks under the pretext of flash loans. They are unsecured loans, i.e., given out without collateral and enforced by smart contracts.
  • These loans are a facility Aave provides, a renowned lending DeFi protocol.
  • They are convenient as the loans are given out instantly without collateral, limits, or credit checks. The only condition is that borrowers must repay such loans before the original transaction concludes.
  • In many countries, the DeFi space is yet to come under regulation. However, employing circuit breakers, transaction limits, and time lags can help prevent these attacks by slowing down attackers.

Flash Loan Attack Explained

Flash loan attacks are DeFi attacks under the pretext of flash loans. They are unsecured loans, i.e., given out without collateral and enforced by smart contracts. These loans are a facility Aave provides—it is a well-known decentralized lending DeFi protocol.

The loan, once taken, is settled in the same transaction. These loans are convenient as they are given out instantly without collateral, limits, or credit checks; the only condition is that the borrower repay them before the transaction concludes. Funds are taken out of the blockchain and returned, and the attacks take place within the time the funds are repaid or returned.

Each blockchain has a different execution time. For example, a Bitcoin transaction takes 10 to 30 minutes to get confirmed and added to a blockchain. Ethereum has a duration of 13 seconds. If an attacker uses an Ethereum blockchain, the flash loan must be repaid within 13 seconds. In a planned attack, an attacker uses this tiny window of 13 seconds to manipulate certain variables (typically a price-related vulnerability, discrepancy, or alteration) and gain an advantage.

Attackers often manipulate the market to create opportunities for arbitrage trading. Multiple trades of coins and tokens are executed within a tiny timeframe or small window. Contracts are written to exchange large amounts of borrowed coins for other coins while executing flash loan attacks in crypto.

The huge volume increases the demand for the coins bought, and the prices of these coins also increase. Attackers make every possible attempt to benefit from this volatility in a very short span. The coins are then immediately sold to make a profit. The smart contract will reverse all buy/sell activities if the debt is not repaid in a single transaction, making it appear like the loan was never availed.

Examples

Let us study some examples to understand the concept in greater detail.

Example #1

Suppose Adam is an attacker planning to take out a flash loan to profit through arbitrage. To execute it, he notes the prices of the asset he wants on different platforms. Assume that the value of Ethereum on Platform XYZ is $25, and on Platform ABC, it is $30.

He could take out a loan of $1 million and buy coins from Platform XYZ. Adam now transfers these coins to Platform ABC and sells them for $30 per coin. Through the transaction, Adam gains $500,000 without much effort. The loan of $1 million buys him 50,000 coins from Platform XYZ. When Adam sells it at $150,000 on Platform ABC, he is left with a considerable profit of $500,000.

Example #2

In April 2022, an attacker secured flash loans, used them to buy an asset, and sell it off to make a profit. The attacker had borrowed approximately $1 billion in crypto from Aave, the DeFi protocol. They used it to buy a controlling interest in Beanstalk. Beanstalk Farms is a DeFi project initiated to balance the supply and demand of cryptocurrencies. The attacker had a supermajority stake of 67% and could move the tokens into their crypto wallet. The person used the majority voting system of the DeFi protocol to wipe off $182 million worth of cryptocurrency from Beanstalk!

Risks

Flash loans may be a profit-making tool for attackers. However, the crypto community, in general, incurs losses due to such attacks. Investors who believe their assets will appreciate lose money once attackers sell tokens and coins and move out of the market. These attacks can penetrate weak DeFi protocols and destroy systems, forcing participants to incur significant losses. Data leaks are another threat. Also, investor confidence in crypto may decline due to such incidents, which will curb the field's growth.

How To Prevent?

In many countries, DeFi remains unregulated. Hence, focused attempts to thwart flash loan attacks in crypto are possibly the only way to prevent such incidents. Let us study some measures that can be taken to prevent these attacks:

  • Circuit breakers: This is an automated mechanism that alerts the relevant entities and prevents further activity on a platform based on certain conditions. The conditions programmed as triggers could be a “sudden drop in liquidity” or “extreme volatility in a short period”. When such occurrences are seen, trades can be paused. This might help prevent attackers from manipulating asset prices.
  • Transaction limits: At present, flash loans have no transaction limit. If they wish, borrowers can borrow substantial amounts without collateral. If borrowing limits are enforced, attackers cannot borrow, manipulate, and repay large amounts in a single transaction.
  • Monitoring systems: Investors could monitor the markets and note any asset that registers suspiciously huge price variation or volatility. When investors notice unreasonable price volatility in any form, they can refrain from investing and watch the markets closely. In such cases, they should ideally invest only when things seem normal. Investing in quick (short-term) trades is risky and brings significant financial problems if the amount used to execute these trades is huge.
  • Time delay: Introducing a period of delay, where a certain amount of time must pass before the borrower can use the funds, can be useful. Regular audits to check vulnerabilities are also recommended, in addition to boosting the relevant or associated security protocols on DeFi platforms.

Frequently Asked Questions (FAQs)

1. Is flash loan attack illegal?

They cannot be classified outright as illegal. Manipulating the crypto market and making profits in the DeFi space is largely unregulated across many countries. However, there are no definite laws that classify them as illegal.

2. Will flash loan attacks stop?

Flash loan attacks are becoming increasingly common because they are convenient. They might stop if there is a loan limit, collateral is demanded, or credit checks are run, as these are the major factors that drive misuse and fraud.

3. Is a flash loan attack real?

Yes. Several billion have been reported as lost or stolen via DeFi portals where security was weak. These attackers typically have exceptional technical expertise required to manipulate asset prices.

4. What are the common factors in flash loan attacks?

Making quick profits is the main driving factor. The lack of credit checks, collateral, and borrowing limits offers the convenience attackers need to carry out their activities almost undetected. Other crucial driving factors include opportunities for arbitrage and market manipulation.