Flash loan attacks are DeFi (Decentralized Finance) exploits executed on-chain within a block in protocols structured to stand by the delivery of flash loans to drain off the crypto assets kept in any specific pool.
These are the attacks originated by malicious actors who wish to borrow a loan, utilize the borrowed funds to buy other assets as well as arbitrage (including currencies, commodities, derivatives, stocks, bonds, etc.), and recompense the loan, keeping the remaining assets with them in the entire procedure as their profit. Often, vulnerable entities are DeFi protocols which have not integrated decentralized oracle systems to ensure pricing remain consistent.
Where and How Does a Flash Loan Attack Occur?
It is noteworthy that such exposure can only occur in DeFi-based protocols as they are permissionless and thoroughly operated via smart contracts. Though disintermediation gives several advantages, such as censorship resistance and cost savings, the absence of third parties to oversee the delivery of uncollateralized loans that are provided via flash loan contracts turns DeFi-based venues vulnerable to this type of attack.
Such a malicious activity is multifaceted and complicated to be conducted. Even then, there are several situations where this attempt has been effectively carried out. Most flash attacks take into account the borrowed funds for the arbitration of the assets from the rest of the DeFi-based protocols. For example, in an attack on the bZx protocol, the attacker requested a loan through a smart contract and then instantly transformed the funds into stablecoins.
However, as smart contracts operate according to the data they are provided with, they are prone to some exploits. The hacker benefited from the situation by controlling the stablecoin sUSD’s price by putting a huge purchase order on the token. This way, the stablecoin’s price touched nearly double the expected value. That was the point when he extracted the larger loan using the sUSD that he swapped as collateral. After that, he repaid all other loans and withdrew the remaining assets as his profit.
Examples of Flash Loan Attack
Apart from this, sometime earlier, the same protocol also became the victim of a notorious flash loan attack. The attacker availed the opportunity to utilize dYdx – a lending DApp (decentralized application) – for extracting a flash loan and subsequently sent taken funds to Fulcrum and Compound. The hacker selected ETH against WBTC (Wrapped Bitcoin) while taking WBTC’s Compound loan into account. Without delving deep into the particulars, when the price of WBTC propelled because of the influence of Fulcrum obtaining WBTC, the attacker transferred their tokens to Uniswap, recompensed them with theirs, and moved away, taking the Ethereum remnants.
The Biggest DeFi Flash Loan Attacks
Flash loan attacks are a common threat to big projects and protocol. This attack enables hackers to steal immense amounts money in the form of cryptocurrency. Some of the most expensive and largest flash loan attacks include:
- PancakeBunny(the yield aggregator based on the well-known Binance Smart Chain) : In May 2021, there was a bug in the transactions for which the BUNNY token was exploited and it allowed the attacker to steal $45 million from the protocol.
- Alpha Finance: In February 2021, Hacker tricked the Alpha Homora Code by using a malicious contract which was believed as an internal contract. Fraudsters hacked Alpha Finance project for about $37.5 million worth of tokens.
- Spartan Protocol: Again, in May 2021, Hackers drained about $30.5million in tokens against the Spartan Protocol by exploiting an incorrect calculation of liquidity shares.
- Harvest Finance: The Harvest Finance hack occurred in October 2020 and it allowed the attacker to steal $33.8 million in tokens from the project’s FARM_USDC and FARM_USDT pools.
- XToken: The bug exploits against XToken drained about $24 million in tokens from several of the project’s liquidity pools.
Protection Against Flash Loan Attacks
Attackers made Flash loan attacks possible as contracts perform their calculations of a particular token or trading pair completely internally. Besides using the contract’s supply of various tokens to determine price is the “purest” way of valuing assets, it leaves these contracts vulnerable to manipulation and exploitation for flash loan attack.
The most convenient way to protect against flash loan attacks is to use an external price oracle to protect against slippage. Smart contracts should update token’s prices based on their supply and demand for various tokens, but should limit this price range based on external values. Following this will make it more difficult for a hacker to generate enough slippage to make an exploit profitable.
Flash loan attacks covers up a significant percentage of all DeFi hacks. The industry is failing to learn from its mistakes continuously and flash loan attack is an indication. The vulnerabilities that make flash loan attacks possible are not always obvious and may require an in-depth security audit to discover.
The cost of a flash loan attack can be significant to a DeFi protocol and its users and it has gradually become commonplace for DeFi hackers to drain tens or hundreds of millions of dollars from DeFi protocols.
Before launching any smart contract, it is essential to undergo a security audit that can help to identify and remediate these and other vulnerabilities before they can be exploited by an attacker. Halborn offers comprehensive audits of DeFi projects, including an in-depth review of smart contract code for vulnerabilities, like those that make flash loan attacks possible. Flash loan attacks are becoming a threat to big projects and DeFi protocols by becoming an obstacle for the future of blockchain technology.