To take out a typical loan, you must supply documentation of savings, earnings, and other items. Forget about it; flash loans are like steroids for loans. But, in the end, are they good or bad for you? That is a question that depends on whom you ask. Some people believe that flash loans are a major step forward in decentralized finance (DeFi), especially on the Ethereum Network. To their critics, flash loans provide an opportunity for unscrupulous people to steal millions by exploiting poorly secured technologies. This past week brought the spectacle back to DeFi when Binance Smart Chain (BSC) protocol PancakeBunny was hit by a $200m flash loan vulnerability attack, resulting in the loss of over 700,000 BUNNY and 114,000 BNB coins. Although the best sector’s efforts, the damage is irreversible.
Come, Let’s Talk Next
While there’s no denying that flash loans are a fad, flashes in the pan, these attacks are not. They’re becoming an increasingly prominent issue in the cryptocurrency and exceptionally decentralized finance (DeFi) space. So, let’s have a look at the details to know what they are, why they are so prevalent, how they work, and whether anything can be done about them. Read more about crypto wallets in our blog post titled – Here Is Your Guide To Know Everything About Crypto Wallets.
What Is A Flash Loan?
The popularity of crypto lending has risen in recent years, and it’s no surprise. Flash loans have become trendy financing as they take full advantage of contemporary technologies. The term “flash loan” refers to a situation in which a borrower receives money without the need for collateral. You might be questioning automatically: about the probability of this matter. The whole borrowing and return procedure are conducted in one transaction on the platform of blockchain using a platform’s smart contract. The lender may take legal action against you if you will not pay back the loan. You will charge a penalty for late payment, and your credit score will be damagingly impacted. A borrower who fails to return the money may face jail time or other serious consequences. The idea is straightforward and extremely useful. You don’t need any security, paperwork, or credit score to apply for an unsafe loan, as conflicts with a secured loan. In a matter of seconds, you can obtain large amounts of stable coins and utilize them to your advantage as soon as possible.
The Borrowing Process
Some cryptocurrency traders are attempting to do this on a variety of DeFi platforms. Users of Aave, for example, can borrow against the interest earnings to fund arbitrage trading. The lending and borrowing procedure work systematized, so both the borrower and lender profit when everything goes smoothly. If something goes wrong, the transaction will cancel, and neither party makes money.
Do You Know Flash Loan Attack?
Flash loan attack is a DeFi attack type. A flash loan (a type of uncollateralized lending) is used to gain an unfair advantage in the market via cyber theft. Such assaults might happen in minutes and involve four or more DeFi protocols, yet they do so in seconds. Most DeFi attacks fit into this category since they are the most straightforward and cost-effective to execute. They’ve been making front pages frequently since the inception of DeFi in 2020, totaling more than $400 million in losses thus far.
Are Flash Loan Attacks Common?
Given how the technology is still developing, flash loan assaults are quite prevalent now. Over 70 DeFi vulnerabilities have been employed to steal billions of dollars, amounting to around $1.5 billion currently. The practice will most likely continue in years to come because making a platform’s security impenetrable is a challenging task. The first issue is that the developer can’t cover all the possible flaws because blockchain technology is relatively new. Another problem is that systems are developed quickly, and a substantial amount of money has been invested in each project. The stakes are high, and many programmers attempt all kinds of approaches to discover faults in the system. Some flash loan attackers make incorrect liquid pool calculations. Others are minor assaults or software errors. The thing that makes everything feasible is also its Achilles’ heel.
The main issue with smart contracts is complete control over DeFi protocols. If attackers understand how these work in detail, they can misuse a contract’s flaws to their advantage. On the one hand, this implies that DeFi security is a tight balance: the protocol’s contract creator’s skill on one side and the hackers on the other. Another vulnerability stems from platform pricing data. Finding an accurate price for digital crypto assets on multiple exchanges worldwide is nearly impossible. The appeal of arbitrage trading depends on the difference in pricing. Following markets provides a fantastic opportunity to earn money since actual price variations occur. Flash loan assaults, on the other hand, alter prices and take advantage of the quick shift in them. Fortunately, there are mechanisms to prevent similar abuses of uncollateralized loans. Right after that, we’ll look at a couple of examples of flash loan assaults.
How Do Flash Loan Attacks Work?
Flash loans allow users to borrow as much as they want with no initial capital. For example, if you wish to borrow $70,000 worth of ETH, a lending protocol immediately hands it to you, but it doesn’t imply you own it. You must do something with the borrowed funds to repay the loan and perhaps profit from the excess money. To work, the process must move quickly, and the debt must pay off in time, or else the transaction will reverse. Because a blockchain uses to enforce the promise to pay your debt, a decentralized lender does not require collateral from you. Flash loan attackers seek methods of manipulating the market while staying compliant with a blockchain’s regulations.
Case Studies Of Flash Loan
Let’s look at three real-world examples of flash loan assaults to better illustrate these exploits’ anatomy.
Let’s look at the bunny and its fatal allure to hackers again. The most recent flash loan attack against PancakeBunny, a BSC-powered yield farming aggregator, occurred in May 2021, when the token value of PancakeBunny was driven down by more than 95% of its previous quantity due to an exploit. The attacker made many trades to pump and dump the price of USDT/BNB and BUNNY/BNB on PancakeSwap. The hacker was able to steal a significant amount of BUNNY (which they subsequently left on the market, causing the value to drop) since it was only possible for users who had accepted its terms of service. The platform lost almost $2 million to the hacker, leaving a taint on the protocol.
In 2021, the most significant flash loan hack occurred during February, when Alpha Homora’s payment system was emptied of $37 million in cryptocurrency using Iron Bank, Cream’s lending platform. A series of quick loans were launched against the leveraged yield farming protocol. The hacker repeatedly used the Alpha Homora app to draw money from Iron Bank, gradually increasing the amount borrowed. This was accomplished in a two-step process where the hacker re-lent cash to Iron Bank each time, allowing them access to Yearn Synth USD (cySUSD). Aave made a flash loan to Curve and converted 1.8 million USDC into sUSD. The USD was used to repay the flash loan and extend credit to Iron Bank, allowing them to borrow and lend more of them and receive a proportional quantity of cySUSD each time.
DeFi Yield Farming Aggregator
An assault on the ApeRockets BSC platform and Polygon fork, which took place in July 2021, resulted in the loss of $1.26 million in funds for protocol users. Within hours, the two flash loan attacks on DeFi yield farming aggregator Aave and PancakeSwap took place. The hackers used AAVE and CAKE to steal a large sum of money, keeping 99% of the cash in the protocols’ vaults. Excess cash was disbursed to the vault’s contract, resulting in many tokens. The hackers then dumped these tokens. On June 3, 2019, ApeRocket’s native cryptocurrency, SPACE, lost 63% of its value after a flash loan assault. The protocol issued an official statement in response to the attack and their solution for reimbursing SPACE holders moving forward.
Why Flash Loans Are Frequently Attacked In DeFi?
Flash loans are low-risk, low-cost, and high-reward techniques that make them a potent combination in the eyes of thieves. Flash loans, unlike 51% attacks that require huge financial backing, only need three things: a computer with an internet connection, and, most significantly, imagination. Hacking necessitates preparation; nevertheless, the implementation takes only a few seconds to a few minutes. As a result, neither does it need much investment in terms of time. Consider robbing a bank without the need to be present in the bank. This roughly translates to the flash loan attackers’ viewpoint. It’s been clear for over a year that it’s simple to get away with stealing from DeFi protocols. No flash loan assailant has yet been detained, at least not in recent memory. This is due to the permissionless nature of the internet and available tools for anonymizing identities such as Tornado Cash that leave little evidence after they’ve vanished.
How To Prevent Flash Loan Attacks?
Access to a single, reputable price feed can provide diversification and guarantee stability. Because these assaults take advantage of DEXs believing their own or a specific price feed, which may be manipulated by placing a massive order for a currency, it’s critical to utilize decentralized pricing oracles to obtain the correct cost of an asset. Given the current surge of flash loan assaults, it’s clear that no single solution exists yet. However, specific actions may take to combat this problem.
Use Decentralized Oracles
The most straightforward approach to prevent flash loan attacks is for DeFi platforms to utilize decentralized pricing oracles such as Chainlink and Band Protocol instead of depending on a single DEX for their price feed. Before creating their Alpha Oracle Aggregator last May, Alpha Homora had to learn the hard way.
Pricing Updates with High-Frequency
This appears to be a straightforward solution in theory, but it might cost more in practice. We simply increase the number of times the liquidity pool queries an oracle for a new price here. The logic is that with more modifications, the price of a token within the collection will update faster, exposing any price manipulation.
Transactions In The Chain Should Go Through Two Blocks
According to Dragonfly Research, Flash loans may be forced to pass through two blocks instead of one. However, this isn’t a solution in and of itself since the exploiter may flash loan assault on both blocks if they are built incorrectly. Furthermore, because transactions will no longer be synchronous due to this, the UI of DeFi standards since dealings will no longer be synchronous.
Tools For Detecting Flash Loans Attacks
The delay in response times from DeFi platform developers is one of the main reasons exploiters can pull off flash loan assaults. And we can’t blame them since exploits are generally difficult to detect until it’s too late. Project managers can use security tools to identify smart contract vulnerabilities and other unusual behavior, allowing them to react promptly and counteract assaults.
The Takeaway Notes
The use of lightning attacks is becoming prevalent and will most likely continue for a time. Despite all the proposed solutions, we should keep in mind that DeFi technology isn’t yet developed enough to allow us to relax since each week, hackers discover new security flaws before they are fixed. The only way developers can survive is to make the most of what they have right now, and if they don’t work, they’ll discover something new every time they’re attacked. We shouldn’t be put off participating in DeFi schemes such as staking, yield farming, and liquidity mining since they provide us with significant possibilities. Aside from flash loans, there are other DeFi lending protocols; the top DeFi lending protocols across chains may be found easily. Remember to thoroughly assess the risks and never put money down that you are not prepared to lose. Investment is all about risk management, and DeFi staking is no exception.