Should Flash Loans be considered harmful?
Flash Loans are quite a hot topic in the decentralized finance ecosystem, due to events using this technology leading to a loss of funds of nearly $1M in the now fractional-reserve trading platform Fulcrum.
Social media has seen many hot takes on the subject, ranging from excitement to fear to anger. Let’s take a step back and consider Flash Loans for what they truly are: a tool with both threats and opportunities.
Let’s also break the suspense of the clickbait title — as always, Betteridge’s law applies here!
Back to 101 for a short explainer
Our mental model of a blockchain transaction is often quite limited i.e. “wallet A, send amount X to wallet B”.
Ethereum did a remarkable job at expanding our range of opportunities with smart contract interactions, but as many blockchains operations happen “under the hood”, a lot of us are not aware of the capabilities of the Ethereum Virtual Machine. Initially branded as the “world computer”, the Ethereum Virtual Machine is able to run immutable code.
Truth is, a single Ethereum transaction can do as many things as we’re ready to pay the miners for — — “send amount X to wallet B, convert amount Y to token A, lock token A to smart contract C”.
One limitation is that each individual interaction performed costs a defined amount “gas” that has to be paid in ETH. The more complex the transaction, the more expensive it is.
The other limitation is the amount of gas an Ethereum block can contain. Defined by the protocol at 10M units of gas per block and a simple ETH transfer costing 21k units of gas, it’s easily understandable that a lot can happen within a single transaction.
Eat the Rich
Leveraging on these Ethereum capabilities, Aave’s Flash Loans allow anyone with technical knowledge to be as rich as our available liquidity allows (16M$ at the time of writing this article) in the context of a single transaction.
Everything that was once reserved for a few happy whales is now available to the public. Flash Loans have provided the tools for every developer to have the same opportunities as the wealthiest holders in a low-risk context: if something doesn’t work out as planned and the borrowed money can’t be returned to the Aave liquidity pool, our architecture simply rejects the interaction and the transactions are effectively reversed.
In the context of a Flash Loan, every single blockchain interaction is executed simultaneously when the transaction is included in a block by a miner.
Therefore, Flash Loans only exist when they succeed. It’s a self-loan that is created and paid back simultaneously.
Arbitrage, liquidation, collateral swaps, and more… the opportunities are limitless and expanded on in a previous article.
However, opportunities are not without threats. Black hats can now leverage Flash Loans to pretend they are someone with a lot of liquidity and leverage on vulnerabilities.
Fulcrum paid the ultimate price on this, with seven different critical vulnerabilities discovered to date. Two were exploited by a black hat using Flash Loans to drain almost $1M from Fulcrum’s depositors in highly covered events.
BUT if we take a step back here, there are currently around 7000 accounts holding enough money in ETH that would have been capable of doing the exact same attacks without a Flash Loan. If we take into account the ERC-20 token holdings, the number of addresses “rich enough” to attack is much higher.
In the context of Fulcrum, attack opportunities didn’t appear with Flash Loans. Bad code created the opportunities, and Flash Loans only allowed less wealthy individuals to take advantage of the situation.
Flash Loans do not create new threats — they only expand the number of people capable of harmful actions.
What if it’s for the best?
Decentralized finance has lofty ambitions — we’re here to build a better financial system. The whole blockchain ecosystem is a reaction to the numerous abuses of the traditional financial system. So let’s be clear, DeFi is here to eat OldFi.
With great ambition comes great responsibility. To this day in DeFi, we have no compensation scheme bound by law, such as the European DGSD2 (up to €100K guaranteed). Actors are emerging, like Nexus Mutual (who compensated the first Fulcrum event) and the newcomer Opyn but this is not the norm. Truth is, if things go wild, your money is probably gone.
Flash Loans expand the range of potential black hats and forces all actors in the ecosystem to take safety seriously. Smart contract audits are more and more the norm, and every single actor is currently triple-checking their code and improving their safety process before pushing code into production.
Our “unicorn” ecosystem, often mocked by Bitcoiners for not being paranoid enough, got a much-needed wakeup call in an often too naïve move fast and break things mindset.
We should be thankful for any new vector of attack discovered while our ecosystem is still relatively small. Every new threat discovered increases our resilience and ability to fulfill our ambitions.
That’s why we have a Safe Harbour policy and a Bug Bounty program. We will always welcome white hats and reward them for their service.
More on Flash Loans:
Our oracle system is proudly powered by Chainlink, and they continuously prove that Oracles can be reliable, decentralized and fast.
Flash Loans originating from Aave liquidity are not allowed to be targeted to the Aave platform to avoid some vectors of attacks that have been exploited in the second Fulcrum Event.
Aave Flash Loans are not free — we offer a minimal 9 bps (0,09%) “Flash fee” redistributed for 70% at our depositors, which translates into an instant boost in their yield.
30% of our fee is redirected toward the burning of LEND tokens and our referral partners.
We believe that flash fees will contribute to keep Aave at the top of the average yield for depositors.
