While demand for flash loans is increasing, and flash loan provider Aave has reached a record $288 million demand for its flash loan services, a new threat is emerging.
According to CertiK's report, a total of $308 million was lost in Q2 2022 due to 27 flash loan attacks, and $14 million was lost to flash loans in Q1. In this article we will explore the top flash loans attacks of 2022.
TL;DR
- Flash loans allow users access uncollateralized loans that get repaid on the same transaction.
- Flash loans use atomicity, which is an ability for several transactions to occur at the same time. Each transaction depends on the success of the other.
- Flash loans are mostly utilized by developers because of the technical skills required to create them.
- Top flash loan providers include Aave, Equalizer, dydx and uniswap.
- Beanstalk had the highest flash loan attack of 2022.
Crypto Flash Loans: What Are They?
Crypto Flash Loans are uncollateralized and unlimited loans that can be borrowed on the DeFi network. In other words, Flash loans borrowers can borrow any amount of cryptocurrency without any collateral. The word, "flash" is a pointer to the speed with which the loans can be borrowed and repaid. In fact, the loans are borrowed and repaid in the same transactions. Ethereum's atomicity makes this process possible. Atomicity is the process where the failure of one part of the transaction leads to cancellation.Although they are closely linked, flash loans and DeFi lending are different.
How Flash Loans Work
Flash loans make use of smart contracts. Because of the technological expertise necessary to manage them, flash loans are typically used by developers. These pre-set instructions are automatic and carry out the transactions on their own.
First of all, the prospective borrower applies for a flash loan. Then the borrower lays out the procedures of exchange by detailing how the loan is going to be utilized. After the transaction is successful, the borrower repays the loan with the interest fee. Should the borrower fail to repay the loan or fail to make a profit, the loan is cancelled and reversed to the lender.
Notable Flash Loan Providers
AAVE
Stani Kulechov, Jordan Lazaro and Nolvia Serrano created ETHlend in 2017. The platform allowed users to lend Ethereum-based tokens. The name was changed to Aave, a Finnish word for ghost, in 2018.
The platform is based on Ethereum and facilitates the creation of money markets. It operates a dual-token model. The tokens are aToken which compounds lender's interest and LEND which is used as a governance token. The current flash loan cost is 0.09%; it can be changed through the regular governance procedure.
Aave deals in a variety of assets. Some of them are DAI(DAI), Ethereum(ETH), Decentraland(MANA) and many more. Aave has a Total Value Locked of $3.83 billion.
dYdX
dYdX flash loans don't have a default risk because the loan is repaid in the same transaction and there isn't any collateral. A flash loan can be obtained by anyone with technological know-how. The protocol became a significantly more appealing option for those looking for larger flash loans when fee-free flash loans were added in February 2020.
UNISWAP
Hayden Adams is credited with the creation of the protocol in 2017. Just like every other DEX platform, Uniswap allows users to carry out transactions without third-party interference.
The platform runs on and accepts various blockchains like Ethereum (ETH), Binance Smart Chain (BNB), Polygon (MATIC) and so on. Uniswap’s governance token used in making decisions on the platform $UNi. It is used in voting and can also be traded on exchanges.
The Total Value Locked of Uniswap sits at $3.54 billion.
Equalizer
Equalizer Finance boast of being the first DeFi-specific flash loan platform on Ethereum, Polygon, Polygon, and BSC Chain. Equalizer currently charges a 0% flash loan fee.
Solend
Solend is a lending and borrowing platform built on the Solana blockchain. Flash loans are short-term loans made available by Solend that let customers borrow money without putting up any security.
Solend is collaborating with Hawksight and GoblinGold, and aspires to open source its flash loans v2 SDK in order to allow other Defi yield protocols or users to utilize flash loans to enter profitable positions. It currently charges a 0.3% Flash loan fee.
zkLend
zkLend, like AAVE and DyDx, supports flash loans. zkLend employs Empiric Oracles to screen markets in real time and avoid price machinations caused by flash loans gotten from its platform. zkLend is yet to launch its token.
Top Flash Loan Attacks Of 2022
Beanstalk
On April 17, 2022, hackers attacked Beanstalk Farms. The attacker took a loan from Aave and used the loan to purchase large amounts of Beanstalk Farms' governance token–STALK. Since this token gives its holders the right to vote on how the platform is run, the hacker voted that the platform's assets be deposited in a single private Ethereum wallet. Then the hacker escaped with cryptos valued at over $80million. The total loss was estimated to be $182 million. Also, BEAN, the platform's exchangeable token, slumped by 75 percent.
Lodestar Finance
Lodestar Finance lost more than $5 million as a result of a flash loan attack on December 10, 2022. The attacker exploited a critical flaw in plvGLP oracle. The attacker first exploited the plvGLP token price of PlutusDAO before borrowing all of the platform liquidity using the overvalued token. As a result of the attack, the attacker earned an estimated $5.8 million, and Lodestar's TVL (total value locked) fell from $7 million to $11.06 in 24 hours, while the LODE token lost 12% of its value.
Quickswap
In a flash loan attack on Monday, October 24, 2022, Polygon's top dex Quickswap was exploited for $220,000. Although no user funds were lost, the attacker completely depleted QuickSwap's liquidity pool by manipulating the market price of the QuickSwap tokens using flash loans and then using the tokens' increased value as collateral for loans.
After exchanging the stolen tokens, the exploiter transferred the money using Tornado Cash.
Feed Every Gorilla (FEG)
FEG experienced two flash loan attacks over the course of two days, from May 15 to May 16, 2022. Following the initial flash loan attack, 143 ETH ($305k) were uccessfully stolen via a second flash loan attack. FEG total losses of $1.3 million caused an 80% drop in token price.
SoulSwap
Soulswap is a cross-chain ecosystem powered by $SOUL on $AVAX that allows users to yield, lend, borrow, leverage, and launch all on the same platform. On Nov 16, Flash loans were used in an attack on soul swap. The CoffinBox liquid balances, primarily $FTM and $BNB, were cleared out by the flash loan attacker, who made off with over $40,000.
Inverse Finance
On June 16, the lending protocol Inverse Finance was the target of a flash loan attack, which cost it 53 wBTC, 100K USDT totaling $1.2 million.
The hacker employed the price oracle manipulation, which makes unfair use of the asset pool balances to determine the direct price of the LP token. The price of the crv3 LP token increased after the hacker traded 27k wBTC into the tricrypto pool. The attacker had the security necessary to obtain a loan from the pool. They exchanged it for USDT, paid back the loan, and took the remaining amount off the cvr3 market. To escape with the illegal profits, the attacker used a cryptocurrency mixer.
Nirvana Finance
On July 28, 2022, Solana stablecoin Nirvana lost 90% of its value due to a flash loan attack that they lost $3.5 million.
The hacker had used a $10 million USDC flash loan gotten from Solend, to mint $10 million worth of ANA tokens.
The Nirvana protocol's total value locked (TVL) dropped to 7 cents as a result of the attack, and its whole liquidity pool was depleted.
Omni
On July 10, hackers attacked the NFT lending platform Omni using a flash loan attack to steal about 1,300 ETH ($1.43 million). Since Users of the Omni platform could borrow cryptocurrency against their NFTs, NFTs from the well-known Doodles collection were used as security by the hacker to borrow wETH. The borrowed Ethereum became a bad debt that the borrower is not required to repay because the attacker took advantage of a reentrancy vulnerability in the Omni protocol and cleared the debt immediately after the reentrancy point.
Reentrancy is a known vulnerability in Solidity-coded projects that enables a malicious actor to compel a smart contract to request an untrusted contract externally. This external call enters the protocol repeatedly to deplete its liquidity because it runs before the initial function.
Crema Finance
Crema Finance, a concentrated liquidity protocol built on the Solana (SOL) blockchain, suffered a loss of over USD 8.7 million in cryptocurrency on Sunday, July 3. The hacker began by making a fake tick account, which is a dedicated account that stores price tick data in a concentrated liquidity market maker. The fake tick account replaced original transaction fee data with an altered one that gave excess fees to the tick account. Following which the tick address was written into a fake transaction account and smart contract deployed to enable the new account borrow a flash loan from Solend to add liquidity to open positions. The initiated transaction led to the hacker receiving a huge transaction fee from the pool due the altered transaction fees data on the fake tick account.
After a deal with Crema finance, the white hacker returned part of the fund.
Mango markets
Mango Markets, a trading platform on Solana, suffered a $116 million loss as a result of a "flash loan" attack by a hacker.
The attacker raised the price of MNGO coins artificially by five to ten times using two accounts. By taking out a futures position, the hacker was able to manipulate the price. This made it possible to borrow out of the Mango platform. The attacker used previously acquired coins to borrow nearly $23 million worth of SOL, $54 million worth of USDC, $25 million worth of mSOL, and $5 million worth of Bitcoin after increasing the value of MNGO coins to over 2,000%.
Avraham Eisenberg, a user of the social media platform Twitter has claimed responsibility for the hack. Eisenberg asserted in a series of tweets that all he did was legal because he followed the protocol exactly as it was intended. Some of the funds that were lost have been returned thanks to the alleged hacker.
Conclusion
Just like every other service the DeFi Industry is offering, Flash Loans should be threaded cautiously. Hackers have always made their presence known and the risk of investors losing their assets is always present. Until Flash loan platforms make their codes foolproof, the threat of loss will always loom like a dark shadow over the DeFi world.
About Pontem
Pontem Network is a product development studio developing the next generation of dApps for the Aptos ecosystem in order to accelerate global adoption for both customers and institutions.
Pontem also created a fork of the Diem Move Virtual Machine that is easily deployable to other current chains such as Polkadot, Avalanche, Cosmos, and others.
Aptos, a Layer 1 POS network with over 100 apps developed on it, was established by Mo Shaikh and Avery Ching with the goal of creating the most secure and scalable blockchain possible. After a series of testnets were released at the beginning of the year, the mainnet went live on October 19, 2022.
For application development, the Aptos blockchain employs the Move programming language and the Move VM, both of which were built and optimized for blockchain use cases. The language was created with scalability and security in mind.
Aptos blockchain is a Proof of Stake network with low latency Byzantine Fault Tolerant (BFT) technology. When a node or set of nodes behaves maliciously, the BFT mechanism prevents network failure.
For more details of what Pontem is supporting the Aptos ecosystem, visit their website.
