Mitigations against flash-loan enabled attacks

CTA: In these threads, we attempt to further the discussion of a key problem in this category and evolve our understanding of the domain space where research work has not yet answered the specific problem or question being considered. These posts are living documents, and it is our hope that the community will continue to contribute to their structure and content.

Key Problem

This post discusses some strategies for mitigating flash-loan enabled attacks

Problem Statement

• How can mechanism design choices mitigate flash-loan enabled attacks?

Background

• Flash loans are crypto loans that do not require collateral. They are smart contracts, programs which force borrowers to repay the entire loan in the same transaction as the loan was granted; otherwise, if the loan is not paid in full, the transaction reverts.
• Flash loans rely on funds from a liquidity pool (which is also a smart contract).
• Lending platforms make a profit by charging a lending fee on each flash loan. The lending fee must also be paid in the same transaction as the loan grant.
• Flash loans enable borrowers to act as whales, borrowing large sums of money that they would not have otherwise. Among other uses, flash loans allow profiting from arbitrage, exploiting price differences across exchanges. Example:
  • Say token X is traded at 2 cents in one exchange, while traded at 3 cents in another. One could buy X at a cheaper price, selling it at a higher price elsewhere.
  • A borrower wishes to take advantage of the given price difference, but only has 1,000 dollars in his wallet. If he were to use all his funds, the borrower would make a profit of less than 500 dollars.
  • If the same borrower takes a flash loan of 1,000,000 dollars, the net profit reaches a value close to half a million dollars, after deducting the loan fee and associated gas costs.
• While this example builds on an honest use case, flash loans can be harmful. For instance, they can be used to distort the market value of a given coin, allowing an attacker to profit from an artificially induced price difference.
• Examples of attacks enabled by flash loans include pump and arbitrage (artificially inflating the price of an asset, and then taking advantage of the resulting price difference), oracle price manipulation (lowering the price of an asset and then buying it at a discount), wash trading (artificially inflating the trading volume of a coin, giving the false impression that the coin is being sought out by buyers; such sentiment can lead to more traders buying the coin, increasing its price), governance takeover (an attacker uses a flash loan to buy out the governance of a target protocol), etc.
• Flash loans have amplified economic attacks as they require little up-front investment by attackers and are almost risk free; all an attacker has to lose are the associated gas costs. The returns, in contrast, could be in the millions.

Approach / Methodology

• Mitigation strategies can be used to attempt to prevent (but not fully eliminate) flash loan enabled attacks.
• Mitigation strategies are preventive in nature, i.e, they are reusable solutions attempting to prevent flash-loans from occuring in the first place. Example strategies include:
  • Breaking logic into two transactions
    • Description: the premise of a flash loan is that users borrow and pay back their loans in a single transaction. If this premise is broken, by design one cannot use funds that they do not already own.
    • Example implementation: in a first transaction, have users call a deposit function that would take funds needed to execute a target function; the latter would then be called in a second transaction and would use funds deposited by the callee.
    • Pros:
      • Technically, this mitigation strategy is agnostic of the underlying application and largely general.
    • Cons:
      • Requires an extra transaction to occur, adding further complexity and increasing overall gas costs.
      • Turns the target smart contract into a custodian (if it isn’t one already).
  • Rely on robust oracles
    • Description: Decentralized exchanges do not communicate with one another; hence, prices may differ. Attackers have successfully used flash loans to manipulate the price of a coin in one exchange to distort the market in their favor. The latter can be mitigated if one relies on the price of a coin as aggregated by many exchanges, instead of a single or relatively few exchanges.
    • Example implementation: use Chainlink’s oracle price feed, while checking for price staleness.
    • Pros:
      • Mitigates the risk of having an incorrect view of a coin’s real price.
    • Cons:
      • Transaction cost increases.
  • Keep slippage to a certain limit
    • Description: Slippage refers to the situation where the price of a crypto asset fluctuates between the moment a user submits a transaction and the time it is actually mined. Slippage can be induced on purpose as a means for an attacker to profit (e.g., bZx hack).
    • Example implementation: restrict slippage to a certain limit, for instance 3%.
    • Pros:
      • Restricts the margin of fluctuation to a maximum.
    • Cons:
      • Attackers can still cause slippage to occur up to the maximum defined. At best, it keeps damage within a certain margin.
      • Limits, if set incorrectly, may either be too restrictive, or too loose.
• A second mitigation strategy class comprises reactive measures, i.e., steps on how to react to an attack after it occurs.
  • Blacklisting ability
    • Description: Suspicious actors (addresses) should be blacklisted; if so, they are not able to perform any operation on the target platform until removed from that list.
    • Example implementation: keep a record of suspicious addresses that can be either added or removed. Prior to each transaction, make sure the current callee is not blacklisted. If so, revert the transaction altogether.
    • Pros:
      • Prevents an address from performing a suspicious activity without pausing the contract altogether.
    • Cons:
      • Unless a governance setup is in place, this strategy introduces some level of centralization, as privileged actors would be able to blacklist whoever they want.
      • In Ethereum, one can circumvent the blacklist mechanism by simply generating a new address (which is free of cost). Hence, depending on the given blockchain, this strategy may not help much on its own.
  • Pausing ability
    • Description: in case a contract does get hacked, one should be able to pull a safety trigger, pausing the contract. This gives time to the team to understand the issue at hand and prevent further hacks from happening until a fix is in place.
    • Example implementation: for Ethereum smart contracts, make the target contract inherit from OpenZeppelin’s Pause Contract. For other platforms, replicate the same logic as given in OpenZepplin.
    • Pros:
      • Stops further attacks from happening until the issue at hand is understood and a fix is devised.
    • Cons:
      • Introduces some level of centralization; only privileged actors are able to use the safety feature.
      • Stops the contract altogether, bringing down-time.
      • Alone, this strategy only works after the fact, i.e., after an initial hack has taken place.
  • Runtime monitoring
    • Description: to be able to identify suspicious transactions, one must constantly watch transactions as they appear in the mempool. Upon seeing those, react accordingly. Examples of the latter include front-running the suspicious transaction and putting the given sender’s address in a blacklist or pausing the contract (as discussed above).
    • Example implementation: some runtime monitoring solutions exist out of the box (e.g. Quantstamp’s monitoring tool and OpenZeppelin’s Defender), but as far as I am aware, none of them provide the means to front-run suspicious transactions and prevent a potential attack. They generally rely on alerting mechanisms (e.g., sending an email, sms, etc). Front-running, in turn, requires a custom solution, which cannot lead to a high-rate of false positives; otherwise, honest players would be unfairly blacklisted or, in the case of a full pause, the contract would often go down.
    • Pros:
      • In theory, this allows one to react to an attack as it happens. It can be used as a failsafe mechanism in addition to the preventive measures previously discussed.
    • Cons:
      • Hard to implement; existing solutions generally work after-the-fact (i.e., after a hack has happened).
  • Coverage protection
    • Description: different from the other strategies, which are technical in nature, this aims to protect users in case the smart contracts they lock funds in get hacked.
    • Example implementations: Nexus mutual and Quantstamp Chainproof protocol.
    • Pros:
      • Provides users with financial coverage.
    • Cons:
      • Since smart contracts do interface with external components (libraries, other contracts, etc), users may not be fully covered for components other than the smart contract they locked their funds in. Depending on how contracts interplay, coverage may only be partial.

Key Takeaways

In the crypto world, flash loans differentiate themselves from other loans in the sense that they do not require any collateral, so long as they are paid back within the same transaction as the loan was granted. Although legitimate use cases exist for flash-loans, they have been used to exploit many different protocols. In this post, I discussed different strategies to mitigate flash-loan enabled attacks, both preventive and reactive. In essence, there is no silver bullet; each solution has pros and cons that must be considered by each project.

Future Work

• Monitoring tools are in their early days—we need to be able to detect suspicious transactions and front-run them successfully in order to prevent flash-loan enabled hacks. This is largely unexplored as of now.
• We need to catalogue mitigation strategies against flash-loan enabled attacks. This is certainly a first step, but community involvement is a must.

What are some preventive measures that could be taken to mitigate governance attacks enabled by flash loans?

There have been some interesting precedents where flash loans were used to borrow governance tokens and momentarily increase one’s voting power.

Notably, in October of 2020, the B Protocol used a flash loan to borrow $7 million worth of MKR tokens in order to influence the governance process. Doing so enabled them to use MakerDAO price oracles for their applications, which required white-listing.

Are there ways to mitigate this kind of flash loan-enabled governance attack? Could time-locks be a feasible option, or would projects have to audit each monetary unit in order to discern votes enabled by flash loans?

@cipherix Thanks for you reply and interest in this post.

There are a couple of ways one could do this. The most natural one seems to use the Breaking logic into two transactions mitigation strategy. For instance, instead of letting the biggest governance token holder get immediate control, impose a time lapse for that control to happen and be granted. Such a time lapse should be set s.t. anyone can question any transaction attempting to gain governance control. The ability to question a transaction attempting to elect a governor contract should be voted by existing governance token holders as a further level of scrutiny.

Things could be partially automated by means of using a monitoring system, which would then trigger alarms for the community to further investigate and vote on to accept/reject suspicious transactions attempting to elect a new governor contract.

What do you think?

Thanks for the summary. It’s such a joy to read your work.

There are two things that I’d like to bring up -

1. What is the maximum proportion of crypto available for lend? Shouldn’t that be equal to the size of the liquidity pool?
   If so, suppose the pool isn’t large enough to provide enough crypto for governance takeover.
   Will this ensure that we don’t need to worry about attacks enabled by flash loans?
2. What are the incentives of giving loans without collateral & some lending limits?
   If it’s a small loan, I can understand.
   When it’s a large sum, who will be willing to take the default risk?

Thanks again for the post!

Hi @Twan . Thanks for your question and interest in this post.

To follow-up on your points:

1. Yes, the amount of money that can be lent is directly proportional to the amount of money currently available in liquidity pools. Whether that is enough or not to cover governance control in a target protocol, depends on the target protocol and how much their governance tokens are valued and the amount minted. For Maker, it would have been a matter of time if they had not mitigated governance control (see discussion at: Research Summary: The decentralized financial crisis)
2. Apart for bugs in the lending platform, there is no default risk, as everything happens in a single transaction. If the loan is not paid back in the same transaction, the latter reverts entirely. The economic incentives for giving flash-loans are in the form of collected loan fees, which are in turn shared amongst liquidity providers and the platform itself.

Let me know my explanation helps :)

Thanks @lnrdpss. It certainly does help. May I follow up with asking how does a revert works if the borrower converts the coin into another currency and sends it to another address?

@Twan A transaction in Ethereum is atomic. An atomic transaction is a sequence of operations that will either succeed entirely, or, if a single operation within the sequence reverts (e.g., if you do not pay a flash loan back, the associated contract will make sure a revert occurs), the whole sequence of operations reverts. Hence, if you send coins to an address, but as part of the same transaction, something fails, the transfer of the coins made in that same transaction will revert.

@lnrdpss I see. So unless they cash out, it’s not going to default.

@Twan One cannot cash-out unless the underlying transaction is mined… if it reverts, it cannot be mined. In other words, a transfer of coins as you described will only succeed if its containing transaction succeeds. This concept of atomic transactions is not new; for reference: Atomicity (database systems) - Wikipedia

Just an update to those interested in this thread: OZ’s Forta Protocol appears to make some contributions towards better runtime monitoring: https://forta.org

Nice work @lnrdpss
There are other numerous strategies to avoid a flash loan attack apart from the ones mentioned in the research summary, despite the fact that it can be devastating to a cryptocurrency:

1. Collateral requirements for loans are one of the ways to stop flash loan hacks.Hackers would have to put up collateral in order to obtain a loan, which would increase the cost of their borrowing.

2. Another method is to set a cap on how much can be borrowed in a single flash loan.
   The ability of hackers to borrow enough money to pay for the full attack would be made more challenging by this limit.

3. Finally, enhancing transparency in the lending process is another strategy to stop flash loan hacks.

We can make it harder for hackers to execute these assaults by making it harder for them to mask their activity.

No system is flawless, but by putting these precautions in place, we can make it harder for hackers to conduct flash loan attacks and contribute to the security of our cryptocurrency.

Hi @lnrdpss

Kudos on your well-detailed post.

I stumbled on it while researching for a client’s article on DeFi Flash Attacks. The focus was on the origin, effect, and how to mitigate/prevent the attacks. Unfortunately, the information I saw on Google wasn’t conclusive…

So I was excited when I thought of searching for flash loan attacks on SCRF, and I found your summary plus @patrickalphac’s post on “Flash Loans & Defi Attacks”

The two posts helped me better understand the subject matter while feeding me with more than enough information for the article.

I have a question, though…

Seeing as your work is about a year old, are there any improvements/drawbacks in the mitigation strategies you mentioned?

For example, the Runtime Monitoring method, which I understand would be hard to implement because it is only theoretical and can’t react to attacks while they happen.

Hi @Cashkid18 . Here is a follow-up:

Collateral requirements for loans are one of the ways to stop flash loan hacks.Hackers would have to put up collateral in order to obtain a loan, which would increase the cost of their borrowing.

If you put collateral, sure, it solves the problem, but then it is no longer a flash-loan by definition ;)

Another method is to set a cap on how much can be borrowed in a single flash loan.
The ability of hackers to borrow enough money to pay for the full attack would be made more challenging by this limit.

Sure, that would work, but…

• if you set the flash-loan cap to be too low, no user would use the loan platform to begin with (defeats the purpose of the flash-loans in the first place, which is: become a temporary whale and take advantage of that buying power with the length of a single transaction)
• note that, in theory, a cap is by definition in place - he total amount of money in the liquidity pool.

Hi @Harvesto. Unfortunately, this problem is not yet solved to satisfaction

Consequences of flash loan attacks

Depending on the scale of the attack, consequences can vary. But one thing is certain, the reputational damage is great, and the other protocol users pay the adverse effects. Seemingly never out of the spotlight, C.R.E.A.M. has been attacked three times in 2021, two of which were flash loan attacks. In the case of flash loans, lightning can and does strike the same place twice. The primary and most important consequence is the impact that flash loan attacks can have on other users. DeFi would be nothing without the loyalty and money of the users who are all key players in an intricate autonomous ecosystem. It is presumptuous to assume that victims have available cash to put back into a system that has failed to protect their assets.

Steps for protocols to take to minimize impact of flash loan exploits

The recommendations here align with the three pillars of cyber security: security, vigilance and resilience.

1. Design of the protocol matters Complexity comes with risk. While developing a large smart contract or building a dApp it is difficult to pinpoint loopholes. Therefore, all external calls should be located, to explore if these could serve as a path for the malicious actors in the contracts. In older versions of Solidity, even reading a public field could lead to unsafe external calls that can be easily manipulated. Therefore, developers should always use the stable and updated versions of Solidity.
2. Use a decentralized oracle Oracle manipulations are the biggest cause of flash loan attacks. Smart contracts heavily rely on oracles which provide an effective interface between the contracts and the external source to push the required data.