In the world of DeFi, innovation happens fast. Often teams launch products based on breaking things fast to figure out how to do things better. Flash Loans are one of the latest examples of innovative features that lend themselves to exploits by hackers.
However, the problem isn’t necessarily the loans themselves but the smart contracts they’re relying on. Firstly though, what exactly are Flash Loans, and how are they providing value to the broader DeFi ecosystem?
When taking out a loan in the traditional financial system, you’ll have to go through a lot of paperwork. To ensure that you’re going to pay back the loan, banks use credit scores that assign scores based on borrowers' financial history. However, borrowers might not always be able to fulfill a bank’s requirements which leaves them without access to loans.
DeFi loans still have a long way to go before they can cater to finance businesses or houses. Most DeFi lending platforms require borrowers to deposit a high amount of collateral before they can borrow anything. Flash Loans are different.
What are Flash Loans?
Flash Loans are completely uncollateralized, meaning that borrowers won’t need to deploy their funds to take one out. As their name suggests, flash loans are settled in an instant. Borrowing without collateral seems impossible, and it is in traditional centralized systems. Yet, with the advent of smart contracts, it’s possible to combine various transactions into one, including the issuance and repayment of the loan.
The terms for flash loans are set out in a smart contract. When capital isn’t repaid, the conditions aren’t met, then the smart contract is rolled back. This does, in theory, reduce risks for both sides. Successful loans usually charge a small fee of 0.09%. This fee is charged to secure some profit for lenders providing the capital and reflects the cost of lending money (Nothing in life is free)
In short, flash loans let traders take out loans without collateral and repay them within an instant.
Marble protocol was the first blockchain project proposing Flash Loan, which it wanted to implement in its decentralized bank that would solely rely on smart contracts. The main product they offered was an instant zero collateral loan that would give anyone access to borrow ETH or ERC20 tokens to take advantage of arbitrage opportunities.
While Marble isn’t around anymore, another prominent DeFi platform is issuing Flash Loans at an astonishing rate: Aave protocol has issued nearly 4 billion flash loans in June this year (and that while we were in what some would call a “bear market”).
Benefits of flash loans include that no time passes between issuance and repayment; they carry no opportunity cost and require no collateral.
What are they good for?
The most significant appeal of flash loans is their utility to leverage them for arbitrage trading. Even price differences across platforms of just 1% can be an attractive arbitrage opportunity if you have enough capital at hand. If you spot an arbitrage opportunity but don’t have the necessary money to make a significant return from it, flash loans can help. Take out a loan of thousands in value, exploit that arbitrage opportunity, repay the loan and the fee, and you’ve made some excellent returns. Combining various transactions in one smart contract can also lower transaction fees.
For borrowers that want to refinance their loan on a different platform because they’ve found a protocol with a lower interest rate, flash loans offer an easy way to do that. They can borrow the loan amount in a flash loan, pay off protocol number 1 and borrow on the second platform at a better rate.
As indicated above, Flash Loans are still a fairly nascent technology and rely heavily on smart contracts. Unfortunately, that has made flash loans a common vector for hackers to attack DeFi protocols.
Flash Loan attacks
With the tremendous growth of memecoins and yield farming projects on Binance Smart Chain, exploits of projects that often just forked another project’s code have increased as well. The journalist Wu Blockchain estimates that total losses on BSC due to flash loans and other attacks exceed $157 Mio in May. It’s reasonable to assume that the number has grown further.
Yet, even before BSC, projects suffered from flash loan attacks. In February 2020, bZx — which was back then among the top 10 DeFi projects, was first drained of $350,000. Despite the firm investigating the issue and temporarily shutting down trading, malicious actors managed to launch another attack stealing another $633,000. Throughout this attack, the hackers used a badly set up price feed and vulnerabilities in the code. The attackers fooled lenders into thinking that they had already repaid their loan by pushing up the price of the stablecoin used for repayment.
Most flash loans are denominated in a dollar stablecoin, mainly DAI and USDC.
More recently, Chainswap, a project on Binance Smart Chain, has suffered a new attack that resulted in users losing millions of dollars. Chainswap is a platform enabling users to launch tokens on the Binance Smart Chain. By exploiting the protocol, attackers could control the smart contracts of various projects and mint tokens directly to their own address before selling them on Pancakeswap. For the attacker, this resulted in an ETH balance of more than $4 Mio. It’s still unclear if project users will get their funds back.
Overall, all flash loan attacks we’ve seen so far were made possible by poorly thought of price feeds and a lack of smart contract security. Therefore, do your own research before investing in any platform that relies on flash loans. Check security audits and what other, more technical people have to say about them.
Despite security challenges, flash loans could contribute to increase market efficiency and give you the opportunity to feel like a whale for once. 🐋
If you want to give it a go and create your own flash loan, tools like Furucombo make it easy for anyone — even without a coding background.