What Is a Flash Loan Attack？

The way people view and use cryptocurrencies has changed a lot since the development of decentralized finance, especially with independent financial platforms offering different types of crypto lending, which in turn provides a lot of value to both borrowers and lenders.

As One of such loan types, a flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows a lot of funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one. The process is swift, and the attacker repeats the process multiple times before finishing and leaving without a trace.

What Is a Flash Loan?

The development of the DeFi lending space has made crypto lending very popular. Because they leverage the full power of currently available technologies, flash loans have become a very appealing form of lending. A flash loan is relatively new type of uncollateralized lending that has become popular across a number of decentralized finance protocols based on the Ethereum network.

The principle is simple and very practical. Unlike traditional, secured loans, you don’t need any collateral, credit score or administration to process an unsecured loan. You can get your hands on large amounts of stablecion in a matter of seconds — and use it to your benefit just as quickly. The borrowing and lending process is automated, and when everything works out, both the lender and borrower benefit from the loan. If anything goes wrong, the transaction is canceled, and there’s no profit for either one of the parties.

Ethereum lending platform Aave pioneered the idea in early 2020. The concept is new and still has a lot of kinks because new hacks are making abundantly clear. “There is no real-world analogy to Flash Loans,” as the Ethereum lending platform Aave puts it in its documentation.

Are Flash Loan Attacks Common?

Given how the technology is still evolving, DeFi flash loan attacks are currently common. Currently, over 70 DeFi exploits have been used to steal massive amounts, to the tune of around $1.5 billion. The trend will likely continue in the years to come, because making a platform’s security impenetrable is a challenging task.

The first challenge comes down to the developer’s inability to cover all of the possible weaknesses, since blockchain technology is fairly new. Another problem is that systems are developed quickly, and a lot of money is in each of these projects. The stakes are high, and many developers try different methods to find the bugs in the system. Some flash loan attackers leverage incorrect calculations of liquidity pools. Still, others are miner attacks, or coding mistakes.

Another vulnerability comes down to the platform’s pricing data. As there are plenty of exchanges worldwide, finding one true price for crypto digital assets is practically impossible. When the attacker gets the flash loan, they create an artificial sell-off, causing a sharp drop in the price of a crypto asset. Luckily, there are systems already in place to prevent such abuse of uncollateralized loans.

Flash Loan Attack Examples

The dForce Attack

dForce is a decentralized lending platform built on the Ethereum blockchain. In April 2020, an attacker took out a flash loan of 10,000 ETH and used it to manipulate the price of the USDC stablecoin. The attacker then sold their USDC for a profit of over $6 million.

Cream Finance

Cream Finance has been under attack multiple times in 2021. One of the biggest heists involved $130billion. The culprits stole CREAM liquidity tokens, amounting to millions of dollars over an undisclosed amount of time. All the losses are visible on-chain, and the culprits have yet to be caught.

Luckily, the loophole was only a part of Cream’s DeFi system, as the platform of their merging partner, Yearn Finance, remained safe. As with the majority of DeFi protocol hacks, the attackers used multiple flash loans and manipulated the pricing of the oracle. With the help of Yearn’s team, the platform quickly patched the vulnerability.

Alpha Homora

In February 2021, a hack on the Alpha Homora protocol resulted in a loss of $37million. The flash loan attacker also used C.R.E.A.M. Finance’s Iron Bank through a series of flash loans. The Iron Bank is the lending arm of the Alpha Homora protocol.

The hackers repeated the process multiple times until they amassed CreamY USD (or cyUSD), then used the tokens to borrow other cryptocurrencies. The hack was quite complex and involved numerous steps. Essentially, the attacker heavily manipulated the sUSD pool of HomoraBank v2. They performed a series of transactions and flash loans, allowing them to abuse the lending protocol between HomoraBank v2 and the Iron Bank. Additionally, they exploited the rounding miscalculation of the borrowing calculations in situations when there’s a single borrower.

How Do I Prevent a Flash Loan Attack?

As more attacks keep occurring, security experts are learning more about various flash loan exploits. All the vulnerabilities in the examples mentioned above have been patched, and their occurrences have given birth to two popular solutions.

Decentralized Pricing Oracles

As most flash loan attacks depend on price manipulation, it’s necessary to counter this approach with decentralized pricing oracles. Good examples are Chainlink and Band Protocol. These platforms keep all protocols safe by presenting the accurate pricing of different cryptocurrencies. Alpha Homora now uses Alpha Oracle Aggregator to prevent history from repeating itself. We’ll see more systems like this as the DeFi market size keeps growing.

Implementation of DeFi Security Platforms

The DeFi ecosystem uses cutting-edge technologies that are reshaping the outlook of international financial systems. This kind of attention puts a great burden on the whole system. The good news is that there are already specific platforms that tackle the current security challenges. Its role in the whole ecosystem is to protect smart contracts and DeFi platforms as a whole.

Aside from smart contract auditing capabilities, solutions such as the Defender Sentinels provide ongoing protection from flash loan attacks. Developers can use the tool to automate their defense strategies, quickly pausing whole systems and deploying fixes.

DeFi is still an emerging field. The way it operates is undergoing many innovations and rapid fundamental changes. Rapid change, even innovation, often leads to the neglect of extremely vulnerable groups. Attackers will continue to explore vulnerabilities, but as each event occurs, and as the ecosystem evolves, prevention mechanisms become more powerful. While there are ways to help mitigate risk, such as using decentralized prophecies, more frequent pricing updates, or TWAP strategies, as the DeFi industry as a whole takes a more effective approach, it will take some time to combat flash lending as a potential tool of exploitation.