INTRODUCTION
In the decentralized finance (DeFi) ecosystem, flash loans are common. They make it possible for borrowers to quickly profit on arbitrage possibilities.
Some people take advantage of this loan method. Learn more about flash loan assaults and how to avoid them by reading on.
Since the introduction of Decentralized Finance, a lot has changed in terms of how people perceive and use cryptocurrencies (DeFi). In particular, because it has a separate financial platform that offers a variety of cryptocurrencies, it provides more value to both lenders and borrowers.
The flash loan is one of the most well-liked loan kinds in the DeFi ecosystem because it provides borrowers with immediate access to arbitrage opportunities. borrow funds to purchase and sell digital assets, pay back the loan, and profit. The four main uses of a flashloan are collateral swap, wash trading, flash liquidation, and arbitrage.
Without access to significant sums of capital, flash loans create chances for financial operations that were previously unattainable. Their popularity is rising.
Unfortunately, although the concept is sound and effective, some individuals abuse this form of loan to cause harm to others (scam).
Background Lending Platform: An environment (usually a DeFi ecosystem) where depositors can secure funds (collateral) to lend assets
Reserve ratio: The lending platform sells the collateral and compels the loan to be liquidated when the minimal ratio between the value of the collateral and the value of the loan is reached (“amortized”).
Flash Loan: A recent innovation that enables customers to obtain unsecured loans as long as they repay the money in a single transaction.
A transaction is an activity carried out by an account that is controlled by a private key (an “Externally Held Account” or “EOA”) and that alters the state of the Ethereum blockchain, unless otherwise specified in the Official Gazette. EOAs are distinct from accounts kept by smart contracts since they are managed by user activities.
Arbitrage: Buying inexpensively in one market and selling expensively in another in order to take advantage of price disparities between markets.
Wash Trading: A trade that generates fake activity to give the impression that a platform or asset is more well-liked.
A quick loan is used to support a flash liquidation. A loan becomes available to anyone with secured capital known as the Liquidator.
Collateral swap: The borrower pays off the loan’s collateral and takes a new stake in another asset to avoid liquidation in the case of a significant price change.
Overview
Flash loans transform one type of borrowing by enclosing the complete lend-and-borrow process in a single transaction.
First, users receive the necessary assets from flash loan suppliers. They then execute the pre-planned procedures of the users. To carry out operations using borrowed assets, users communicate with other contracts. Users return the borrowed assets after execution is complete, with or without paying the additional fee that the flash loan providers impose. Finally, lenders of quick loans will look at their balance. They will promptly reverse the transaction if they find that users have returned no assets or assets insufficiently.
The figure below (Figure 1) shows the workflow of a Flash loan transaction.
The authors develop three models to identify flash loan transactions. Based on the identified patterns, 76,303 transactions were found on the Ethereum ledger. The numbers suggest that flash loan services are becoming more and more popular over time.
What Is a Flash Loan Attack?
A flash loan attack is an abuse of the smart contract security of a particular platform where an attacker usually borrows a lot of money that doesn’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another.
There are some ways to avoid a flash loan attack, despite the fact that it can be devastating to a cryptocurrency. One method is to set a cap on how much can be borrowed in a single flash loan. The ability of hackers to borrow enough money to pay for the full attack would be made more challenging by this limit.
The process is quick and the attacker repeats the process several times before finishing and leaving without a trace.
With the way technology is advancing, DeFi instant loan attacks are becoming more and more common these days. Currently, more than 70 DeFi exploits have been used to steal a lot of money, totaling $1.5 billion. This trend will continue in the coming years as platform security is a difficult task.
The first difficulty relates to the fact that since blockchain technology is completely new, developers cannot cover all possible weaknesses. Another problem is that the system is developing very quickly and there is a lot of funding for each of these projects. The risk is high and many developers use different methods to find bugs in their systems. Some payday loan attackers use incorrect liquidity fund calculations. Others are miner attacks or coding errors. Unfortunately, weakness is also what makes it all possible.
The difficulty with smart contracts is that you have full control over the DeFi protocol. Once attackers understand the details of how it works, they can manipulate the flaws in the contract and use them to their advantage. This means that DeFi security is a delicate balance between the skills of protocol developers on the one hand and the skills of hackers on the other.
Another vulnerability has to do with the price data on the platform. With so many exchanges around the world, it is virtually impossible to find the true price of a cryptographic digital asset. This price difference makes arbitrage attractive. Due to the correct price movements, following the market is a great way to make money. However, flashloan attacks manipulate prices and take advantage of sudden fluctuations. When an attacker takes out a quick loan, it creates an artificial sell-off, which lowers the price of crypto assets.
Fortunately, there are already systems in place to prevent the abuse of unsecured loans. We would take a look at them after looking at some examples of flashloan attacks.
Example of flash loan attacks
There have been dozens of flash loan attacks so far. Here are just a few of the biggest.
Cream Finance Attack
C.R.E.A.M. Finance In 2021, was under attack several times. One of the biggest thefts involved $130 million. The culprits stole CREAM’s liquidity tokens and stole millions of dollars over an unknown period of time. The chain shows all the losses and the culprit has not been caught. Fortunately, the vulnerability is only part of Cream’s DeFi system, as their joint partner Yearn Finance’s platform remained secure. Like most DeFi protocol hacks, the attackers used multiple flash loans and manipulated oracle prices. With the help of the Yearn team, the platform quickly fixed the bug.
Alpha Homora Attack
In February 2021, the Alpha Homora protocol hack caused $37 million loss. The Flash loan attackers also used C.R.E.A.M. Finance’s Iron Bank which issued a series of quick loans. The Iron Bank is the lending arm of the Alpha Homora protocol.
The Hackers repeated the process several times until they accumulate CreamY USD (or cyUSD) and then use these tokens to borrow other cryptocurrencies.The Hack was very complex and involved many steps. Basically, the attackers heavily manipulated the HomoraBank v2 sUSD pool. They made a series of transactions and flash loans that allowed them to abuse the loan agreement between HomoraBank v2 and Iron Bank. You can take a closer look at the post-mortem analysis of the Alpha Homora attack to understand what the hackers did. Even in the case of just one borrower, they used rounding errors in loan calculations
Pancake BUNNY Attack
Hackers took about $3 million in May 2021 to test the PancakeBunny platform. The hacker first obtained sizable BNB loans through PancakeSwap, after which He played around with the trading pairs BUNNY/BNB and USDT/BNB.
After that, a massive flash loan provided the hacker with a large amount of BUNNY tokens, which they immediately dumped, returned the BNB, and disappeared with the prize money. With all these attempts, PancakeBunny’s price dropped from $146 to $6.17.
How to prevent loan flash attacks?
As attacks increase, security professionals are learning more about various flash loan exploits. All of the vulnerabilities in the example above have been patched and their emergence has led to two popular fixes.
Decentralized Pricing Oracles
This strategy needs to be matched with a decentralized price oracle because the majority of flash lending assaults depend on price manipulation. Band Protocol and Chainlink are two good examples. These platforms offer precise values for various cryptocurrencies while maintaining the security of all protocols. For instance, because the protocol does not get price feeds from the same DEX, DeFi attacks like dYdX are not feasible.
Alpha Homora now uses the Alpha Oracle Aggregator to prevent history from repeating itself. As the size of the DeFi market continues to grow, we will see more and more of these systems.
DeFi Security Platforms Implementation
The DeFi ecosystem uses advanced technologies that will change the future of the international financial system. This concern puts a lot of pressure on the whole system. The good news is that there are real platforms that solve today’s security challenges. OpenZeppelin is a good example. Its role in the entire ecosystem is to protect smart contracts and the DeFi platform as a whole.
In addition to smart contract management capabilities, solutions like Defender Sentinels provide continuous protection against credit crunch attacks. Developers can use this tool to automate defense strategies, quickly suspend entire systems, and deploy fixes.
This quick response is critical to limiting the potential damage of a Flash loan attack. Big companies like Yearn.finance, Foundation Labs, dYdX, Opyn, The Graph, PoolTogether and others use the platform to neutralize attacks on their systems.
TAKEAWAY
Flash loan attacks will inevitably occur and continue to occur. Despite all the suggested fixes, we must be aware that DeFi technology is still in its infancy and that we cannot afford to relax because every week hackers find new vulnerabilities that are not yet patched. Making the most of the current solutions is the only way for developers to survive, and even if they don’t work, they’ll always learn something new every time they’re assaulted.
Users must participate in DeFi efforts like stock trading, dividend farming, and liquidity mining because they also provide tremendous opportunities. Other DeFi lending protocols besides flashloan can be found here, along with the greatest cross-chain DeFi lending protocols.
Consider the risks carefully before investing, and never risk money you cannot afford to lose. Participation in DeFi is risk management, just like investing.
Citation: https://yajin.org/papers/flashloan.pdf
What Is a Flash Loan Attack — and How Do I Prevent It? | Bybit Learn
What Are Flash Loan Attacks? | Alexandria