Decentralized finance (DeFi) has revolutionized the way money works, bringing traditional finance activities to the blockchain and eliminating third parties.
One significant activity in this space is crypto lending. Today, users can borrow crypto assets and repay them entirely on the blockchain.
This evolution has given rise to crypto loans that don't require collateral or credit scores for issuance; these are known as flash loans.
However, every new invention comes with risks and vulnerabilities. In the case of DeFi, which serves as a playground for malicious actors, flash loan attacks have resulted in the loss of millions of dollars in crypto assets.
What Are Flash Loans?
Flash loans are uncollateralized loans that are executed by smart contracts. They require no credit checks and users can borrow huge amounts, provided they can pay back the loan in the same transaction.
With flash loans, borrowers can receive funds that are immediately returned to the lending platform at the end of a single transaction block or else the entire transaction, including the loan itself, will be reversed, this is why protocols can give out the loan without collateral.
Image credit: techopedia
The entire process of borrowing, repaying, and covering flash loan fees can take as little as 15 seconds or depending on the time it takes to validate a transaction on the particular blockchain the lending protocol is running on.
Now what can anyone use a loan with such a short duration of deadline for?
Well the most common use of flash loans is for taking advantage of arbitrage opportunities since a user can get huge amounts without collateral they can buy crypto assets and sell them at a higher price, repay the original loan then keep the profit.
Arbitrage opportunities can happen naturally as different projects update their valuation of different tokens based on supply and demand.
Since flash loans allow anyone to become a whale for a few seconds/minutes, attackers create their own arbitrage opportunities by exploiting vulnerabilities in smart contracts using flash loans.
A flash loan attacker can do this by artificially modifying the relative value of a trading pair of tokens by flooding a contract with one or the other using their loaned tokens.
What Are Flash Loan Attacks?
Image credit: chainlink
In flash loan attacks malicious actors use the temporary uncollateralizedliquidity provided by flash loans to manipulate the price of a crypto currency,exploit vulnerabilities in a DeFi smart contract, or steal funds from a protocol.
To execute a flash loan attack, an attacker usually follows a three-step procedure:
Borrowing: The attacker takes out a flash loan from a DeFi platform without providing any collateral.
Manipulation: Using the borrowed funds, the attacker manipulates the price of a targeted cryptocurrency or exploits a vulnerability in a DeFi smart contract.
Repayment: The attacker pays back the flash loan, usually within the same transaction block.
Some Common Types Of Flash Loan Attacks
Image credit: chainalysis
Recommended by LinkedIn
In this case, attackers can manipulate the price oracles that DeFi protocols use to ensure that the assets available on their platforms are priced in accordance with the wider cryptocurrency market.
Typically, bad actors carry out oracle manipulation attacks by using large amounts of cryptocurrency to quickly increase the trading volume of low-liquidity tokens on the targeted DeFi protocol. This action can lead to fast, significant price increases that are not reflective of the wider market.
These initial funds are often sourced through a flash loan if the attacker doesn't have the funds on hand.
Once an asset's price has been driven up, the attacker can then exchange their artificially inflated holdings for other tokens with greater liquidity and a more consistent value. Alternatively, they may use these holdings as (worthless) collateral to borrow assets, never intending to repay.
In 2022, the crypto crime research firm Chainalysis estimated that DeFi protocols lost $386.2 million in 41 separate oracle manipulation attacks.
Attackers can use flash loans to take advantage of vulnerabilities in DeFi smart contracts, an example of this is reentrancy attack.
In a reentrancy attack, the attacker deliberately creates a recursive loop that allows them to repeatedly enter and exit the same function within the contract, exploiting the contract’s design flaws to drain funds or manipulate token balances with each iteration of the loop.
Preventing Flash Loan Attacks
DeFi procotols can implement circuit breakers, which are automated mechanisms that halt trading on a platform if certain conditions are met, such as a sudden drop in liquidity or a large price movement.
This way circuit breakers can prevent flash loan attacks by preventing large price movements from occurring, which can make it more difficult for attackers to manipulate the price of an asset.
Employing reputable third-party smart contract auditing is always a valuable security measure. For example, Hahlock reviews the overall infrastructure of your contracts and does comprehensive testing to identify potential vulnerabilities.
Projects can decentralize pricing oracles to obtain the most precise and safe price information that reflect the general price of the wider market and protect against slippage.
Protocol should regularly review their smart contracts and stay up to date with DeFi security best practices and vulnerability reports.
Closing Thoughts
Unfortunately, flash loan attacks are becoming increasingly common in decentralized finance (DeFi) because of how easy and cheap it is to implement since attackers have access to huge amounts of free money that can be used to manipulate prices and exploit protocols.
This ugly trend is what Hashlock, Australia’s leading smart contract and blockchain security firm is here to address.
Haslock is dedicated to ensuring the safety of protocols through cutting-edge security audits and ongoing monitoring to swiftly identify and address any suspicious activities.
Go ahead and contact us at Hashlock for all your crypto/blockchain security needs.
[Author’s Note: This article does not represent financial advice, everything written here is strictly for educational and informational purposes. Please do your own research before investing.]
