What is Plaguing DeFi? Flash Loan Attacks
What some have named “The Plague of DeFi” has cost in the past 11 months no less than $271M to DeFi Projects !
It’s the most cost/time efficient hack in the whole web3.
So what is it & how does it work?
A Digestible Decrypt.
What are Flash Loans?
They are uncollateralized loans enforced by smart contracts pioneered by Aave(DeFi lending protocol).
There is no limit to how much you can borrow as long as you can pay back the loan in the same transaction.
(Unsecured Unlimited Loans? Uh oh)
It’s called a “FLASH” loan for a reason: the process needs to happen fast!
You can do whatever you want with the loan and pack up the excess amount you gain, but you have to pay it back before the transaction completes on the blockchain.
Unable to return the loan in time? 👁️👁️
Smart contracts ensure the transaction is reversed: the transaction fails! It’s like the loan never happened & thus the lender always gets its money back!
TL;DR: Users can borrow as much as they want with zero capital in one or two clicks.
It’s free, it’s quick & it’s anonymous.
In web3, with so many unsavory actors lurking around, this is a perfect recipe for disaster, hence the Flash Loan Attacks.
What are Flash Loan Attacks?
Flash Loan Attacks’ MO is actually quite simple: market manipulation.
Simple doesn’t mean unsophisticated.
It requires interactions with 4 or more protocols in a matter of seconds to succeed.
(Yep, thankfully your average Joe can’t just go for it.)
To succeed attackers also need to have a profound understanding of the vulnerabilities of the protocol they target, to be able to use the borrowed money to exploit it.
So although they’re all FLAs, they’re never a copy-paste of each other.
2 examples to illustrate this:
- 09.06.22 — Cauldron Flash Loan Attack: exchange rate exploit
- 09.08.22 — New Free Dao FLA: unverified rewards contract exploit
Just like this, hundreds of millions of dollars have been siphoned from vulnerable protocols since AAVE brought Flash Loans to the web3 table.
Notably, the first Flash Loan Attack, happened not even 4 weeks after Flash Loan was launched: bZx, a DeFi protocol was the unfortunate first victim and lost $355k to the attack.
The main issue?
Some? Many? Most? Some would even argue ALL of these attacks could have been avoided if smart contract audits, stress tests, penetration tests, etc… had been put into place by these vulnerable DeFi Protocols.
Flash Loan Attacks do not have to plague DeFi.
The truth is this:
As long as Flash Loan exists & DeFi protocols YOLO it,- instead of taking serious actions to protect themselves against this threat -, making market manipulation possible, Flash Loan Attacks will be a staple of web3.
A staple that will keep bringing down to their knees unsuspecting (sometimes) DeFi projects.
About us
Nefture is a WEB3 Security Company that keeps your wallet safe with our Metamask Extension and allows brands to tap into web3 through 360° support on their blockchain project.
We specialize in blockchain technologies to make your project come to life and cybersecurity to completely secure your web3 journey: from building Smart Contracts, Audits, Minting websites, Dapps, Discord Audits and Securing,… to Security Breaches Investigation and Management!
Start your web3 journey with us: https://agency.nefture.com/
Register for the beta of Nefture Security here!
