Flash Loan Attack – DeFi Hacking Explained

Flash loans have gained popularity, however, that led to the unfortunate events of flash loan attacks. Flash Loan attack are an unfortunate reality of decentralized finance (DeFi). There have been numerous proposed solutions for flash loan attacks, however, there has not been a permanent fix

To get a better understanding of flash loan attacks, today we’ll be going over everything from the flash loans themselves to the types of attacks. This threat to DeFi offerings cannot be understated, and there are numerous risks involved with it that anyone should be aware of, especially people interested in the cryptocurrency space. 

Flash Loans Explained

To put the seriousness of these attacks into perspective, we’ll first need to take an in-depth look and analysis about what exactly flash loan attacks are, to begin with.

Within the decentralized finance (DeFi) space, flash loans are a unique trait of trading where a specific user has the opportunity to borrow a loan that is unsecured from the lender, all of which is conducted without the requirement of any third-party as would normally be the case with FIAT loans.

Smart contracts play a key role in this transaction as they govern the transaction and ensure that it only gets executed once all of the rules which were pre-set are adhered to, ensuring a maximum level of security in the process.

When we put into perspective traditional FIAT banking systems, the loans will fall, most of the time, in two specific categories. These are secured loans and unsecured loans.

The secured loans in traditional finance require the user to give some kind of security, which fills the role of collateral. In unsecured loans, collateral isn’t really required and the loan gets sanctioned based on a specific bank card score, which takes the past records of paying back loans into consideration. In other words, the more loans you take out and end up paying back, the bigger loans you can end up taking.

An unsecured flash loan enters the scene where certain rules are pre-decided, and when they are obeyed, only your loan transaction will go through. 

To further grasp this concept, we need to take a look at smart contracts and get a clearer analysis and picture of how all of this works. You see, the specific smart contract that is integrated within the blockchain software has all of the rules which are a requirement built into it, which can facilitate the flash loan transaction. 

It ensures that nothing can really happen until the borrower ends up paying back the loan before the transaction ends. In the occurrence where the borrower defaults, the smart contract will end up reversing the transaction, and this would lead to a case scenario where the loan had never occurred, to begin with.

Flash loans have a reputation and are appealing due to the fact that, as the name might imply, they are instantaneous. This means that the loan seeker needs to take advantage of the smart contracts in order to perform instant trades against the loan which is lent by the lender.

This trade needs to occur before the transaction ends, and it only stays there for a few seconds before ending.

Flash loans are available throughout different, typically Ethereum-based DeFi lending platforms, the most notable ones being Aave and dYdX. They started off as a tool through which developers would send textual commands to specific computers, however, through the implementation of solid user interfaces that are friendly to newcomers, they have gathered attention within the cryptocurrency community. 

These flash loans were actually pioneered by Aave which is one of the most popular DeFi lending protocols out there.

If you do not pay back the flash loan, you do not get the loan to begin with. The entire flash loan takes place within a single transaction, so both parties, the borrower as well as the lender, need to follow the rules, and if they do not, the loan will not be issued. This is one of the advantages when it comes to using smart contracts. 

Furthermore, if the funds are not paid back by the borrower instantly, the smart contract reverses the transaction, and the money is given back to the lender as a result of this change.

Flash Loan Attacks Explained

At this point in time, you should be fairly up to speed about what flash loans are. Now we’ll be taking a look at the flash loan attacks. Before we dive too deep into them, let’s look at some real-world examples of Flash Loan attacks. 

On May 20, 2021, we saw a Flash Loan attack that caused the DeFi Token Bunny to Crash over 95% in terms of value. This was due to the fact that a hacker used PancakeSwap to manipulate the Bunny market.

This resulted in over $200 million in assets gone. Over 700,000 Bunny tokens were gone, and over 114,00 BNB tokens were gone. This resulted in a permanent loss.

So how could this flash loan attack lead to a $200 million loss? Let’s dive a bit deeper and see what actually happened.

Flash loan attacks are these specific types of decentralized finance (DeFi) attacks where a cybercriminal takes out a flash loan, which is a form of uncollateralized lending as previously discussed, from a specific lending protocol, and then uses it alongside other gimmicks in order to manipulate the market to their favor. 

These are types of attacks that can occur within seconds, and they can involve multiple DeFi protocols, despite that tiny time frame.

If you have been following the decentralized finance (DeFi) space for quite a bit, you will notice that when it comes to the attacks themselves, a huge portion of them are flash loan attacks. They are the cheapest to actually execute, and they are easy for cybercriminals to get away with, unfortunately. 

As such, they have been in the main headline media attention since the surge in popularity that DeFi received throughout 2020.

Here’s how cybercriminals can pull them off.

A flash loan essentially allows a user to borrow as much as they want, with zero capital attached, this much we already knew.

So, assume that you want to borrow $100,000 worth of ETH, and you use a lending protocol that would instantly give this to you. This does not make the ETH yours, as you are required to do something with the borrowed funds in order to pay back the loan and potentially profit out of any excess amount. 

The process needs to occur fast, and the debt needs to be repaid to the protocol within the specified time frame. If this does not happen, the transaction will end up reversing.

Now, a decentralized lender does not require collateral due to the fact that the agreement to pay your debt is fully enforced by the blockchain itself. The flash loan attacker finds ways to manipulate the market, while still living up to the rules of the specific blockchain. 

So, a flash loan attack would essentially be one where the smart contract supporting the flash loans is compromised in some way. 

Notable Flash Loan Attacks

The best way you can analyze what flash loan attacks look like, and how they work, is to take a look at some notable ones which have occurred in the past, as they will give you the best possible perspective and the deepest understanding. As such, here, we will be analyzing some of the most important flash loan attacks of 2021.

We will start off with the Alpha Hamora Exploit. Unfortunately, in February of 2021, we saw one of the largest flash loan attacks of 2021. 

Through an exploit, the Alpha Homora protocol lost $37 million through the usage of Iron Bank, which is the lending platform of Cream. The leveraged yield farming protocol saw a massive attack from multiple flash loan attacks. 

Here’s what the hacker did.

He repeatedly borrowed sUSD from the Iron Bank through the Alpha Homora decentralized application (dApp), where he doubled the amount each time he started borrowing.

This was done in a process known as “two-transaction”, where the hacker lent the funds back into the Iron Bank each and every time. This allowed the hacker to receive Yearn Synth sUSD (cySUSD) in return.

Here’s where things got interesting, however. 

First came the process of borrowing 1.8 million USD Coin (USDC) from AAve through a flash loan and swapping them out with sUSD through the usage of Curve.

This sUSD was used to pay back the flash loan to Iron Bank, and this enabled the hacker to continuously borrow, as well as lend more of them and receive a certain amount of cySUSD every single time. This is known as an exploit in the system.

Now, this wasn’t a single hacker and was most likely operating as a group, but what they did was repeat this process multiple times.

The result of this? Well, it allowed them to steal a large number of Creamy cyUSD which ended up being used to borrow other cryptocurrencies from the Iron Bank. 

Here’s what they got:

  • 13,000 Wrapped Ethereum (WETH)
  • 3.6 million USDC
  • 5.6 million USDT
  • 4.2 million DAI

To pull off this exploit, the hackers needed to act extremely fast, however, it represents just how it was done.

Now, since we can see the clear timeline of events that need to occur in order for a flash loan attack to work, let’s look at our very first example a bit more in-depth now, the PancakeBunny Attack. 

In May of 2021, we saw an attack at PancakeBunny, which is a yield farming aggregator that unfortunately also saw a misuse of an exploit it had, which caused the token to fall in value by more than 95% of the original value it had.

Here’s what the hacker did.

The hacker borrowed a huge amount of BNB through the usage of PancakeSwap, where after that step, it was used to manipulate the price of the BUNNY/BNB and USDT/BNB trading pairs in the PancakeBunny pools. This in turn allowed the hacker to steal huge amounts of BUNNY tokens that were pushed to the market, which caused the value to drop significantly. The hacker then paid back the debt through the usage of PancakeSwap.

  • The hacker got away with around $3 million. 

So, when we look at both of these attacks, we can see that an exploit was used, the market was manipulated, and the hackers got away. 

Why Flash Loan Attacks are Used 

So, at this point in time, you might be wondering why hackers and cybercriminals tend to use flash loan attacks. Well the simple answer and unfortunate truth behind them is the fact that they are low in terms of risk, low in terms of costs, and have high rewards, which makes them an optimal point of attack for criminals.

A criminal only needs a few tools for the job. A functioning computer, a solid internet connection to keep up with the speed of the required actions, and a bit of know-how. A hacker would need to plan out the attack, and this is quite possibly the longest step, as the attack itself only occurs within a few minutes at the most. This means that the hackers are not required to invest a lot of capital into hardware, which makes the attack affordable.

Now, while doing any criminal activity does have its own set of risks associated with it, flash loan attacks are much less risky when compared to, for example, robbing a bank physically. You’d be surprised if you find a flash loan attacker who has been caught as of recently, and most of them do not leave any trails due to the fact that all of the networks are permissionless, and they have intensive tools to assist them in obfuscating their identities such as Tornado Cash.

Preventing Flash Loan Attacks

Given the fact that even as of recently, we have seen multiple flash-loan attacks, it is sufficient to say that there is no single solution to this issue yet. However, many platforms have started to take some steps when it comes to preventing future flash-loan attacks, and have started to tackle this issue.

One of the most interesting ways through which this issue has been tackled is through the use of decentralized oracles for price data. This would result in a reduction of the attack vector for flash loan exploits within the various decentralized finance (DeFi) platforms. Chainlink and the Band Protocol rely on a single DEX when it comes to their price feeds. 

Alpha Homora even launched their own Alpha Oracle Aggregator in May as a result of the attack.

Then you can always just force critical transactions to go through more than a single block. Dragonfly Research, has proposed forcing flash loans to go through two blocks instead of just one.

If this, however, ends up not being designed well, the attacker could potentially find an exploit where they could conduct a flash loan attack on both of the blocks. This would also lead to the transactions not being synchronized. 

Given the fact that there is a market demand now, we have seen an influx of flash loan attack detection tools.

OpenZeppelin has even launched a program known as the OpenZeppelin Defender which enables managers to detect smart contract exploits and allow them to respond quickly and resolve any of these issues.

This tool has been integrated by Synthetix, Opyn and Yearn.

Moving Forward

Decentralized Finance (DeFi) flash loan attacks have been around ever since its inception, and do not seem to be stopping anytime soon.

We have analyzed some of the most notable examples here, and have gone through the various ways in which cybercriminals have manipulated the exploits within different DeFi protocols and systems to initiate flash loan attacks. Note that while there is currently no permanent fix to this issue, and they very well might never be a permanent fix, just as with any financial system, developers are trying to find different solutions in order to make this experience a lot better and more comfortable for the genuine users.

There are multiple proposed solutions, and even ones in development that try to tackle this issue, however, the DeFi technology itself hasn’t been on the market for too long in order for it to be mastered and secured completely. New vulnerabilities are being found on a consistent basis, typically before the developers have the time to react and patch them up, which leads to these kinds of attacks.

One of the best ways to combat this is to find the exploits before the hackers do, but this sounds far simpler on paper than it is in practice, as developers have a lot of things they need to worry about, develop, and test.

Remember, this is an informative guide, and should in no way discourage you from participating in different decentralized finance (DeFi) schemes such as yield farming, staking, or liquidity mining, as they have some of the best opportunities out there when it comes to the cryptocurrency industry and space as a whole. 

Always ensure that you know the risks involved, and never deposit more funds than you can lose. This is due to the fact that any investment, not just one in the DeFi sector, has its own risks associated with it that you need to manage efficiently if you want to get the best outcome. 

Leave a Comment