DeFi
Bybit Learn
Bybit Learn
Intermediate
Dec 6, 2021

What Is a Flash Loan Attack — and How Do I Prevent It?

The way people view and use cryptocurrencies has changed a lot since the development of decentralized finance (DeFi), especially with independent financial platforms offering different types of crypto lending, which in turn provides a lot of value to both borrowers and lenders.

One such loan type that has surged in popularity in the DeFi ecosystem is the flash loan, as it allows borrowers to benefit from arbitrage opportunities quickly. It provides the borrowed funds to purchase a crypto asset, sell it, pay back the loan and make a profit.

Unfortunately, while the idea is excellent and works well, there are those who exploit this form of lending. Keep reading to learn more about flash loan attacks — and how to prevent them.

What Is a Flash Loan Attack?

A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows a lot of funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one.

The process is swift, and the attacker repeats the process multiple times before finishing and leaving without a trace.

What Is a Flash Loan?

The development of the DeFi lending space has made crypto lending very popular. Because they leverage the full power of currently available technologies, flash loans have become a very appealing form of lending.

The term flash loan describes when a borrower takes a loan without needing collateral. You might wonder: How is this possible? Using a platform’s smart contract, the whole lending and returning process occurs within a single transaction on the blockchain.

That means that the borrower has to act quickly and return the loan within a short time. If the lender defaults in any way, the whole transaction is annulled as if nothing had happened at all.

The principle is simple and very practical. Unlike traditional, secured loans, you don’t need any collateral, credit score or administration to process an unsecured loan. You can get your hands on large amounts of stablecoin in a matter of seconds — and use it to your benefit just as quickly.

That’s what some traders on various DeFi platforms are doing. For example, Aave users can get such loans, use the funds on an arbitrage opportunity, give back the loan, and keep the profits.

The borrowing and lending process is automated, and when everything works out, both the lender and borrower benefit from the loan. If anything goes wrong, the transaction is canceled, and there’s no profit for either one of the parties.

Are Flash Loan Attacks Common?

Given how the technology is still evolving, DeFi flash loan attacks are currently common. Currently, over 70 DeFi exploits been used to steal massive amounts, to the tune of around $1.5 billion. The trend will likely continue in the years to come, because making a platform’s security impenetrable is a challenging task.

The first challenge comes down to the developer’s inability to cover all of the possible weaknesses, since blockchain technology is fairly new. Another problem is that systems are developed quickly, and a lot of money is in each of these projects. The stakes are high, and many developers try different methods to find the bugs in the system. Some flash loan attackers leverage incorrect calculations of liquidity pools. Still others are miner attacks, or coding mistakes.

Unfortunately, the thing that makes everything possible is also the weakness. 

The challenge with smart contracts is that they have complete control over DeFi protocols. Once the attackers understand how these operate in minute detail, they can manipulate a contract’s shortcomings and use them to their advantage.

That means that DeFi’s security is a delicate balance: the skill of the protocol’s contract creator on one side, and the hacker on the other.

Another vulnerability comes down to the platform’s pricing data. As there are plenty of exchanges worldwide, finding one true price for crypto digital assets is practically impossible. This difference in pricing is what makes arbitrage trading appealing. Following markets is a great way to earn profits, due to legitimate price fluctuations. However, flash loan attacks manipulate prices and exploit the sudden shift in them. 

When the attacker gets the flash loan, they create an artificial sell-off, causing a sharp drop in the price of a crypto asset.

Luckily, there are systems already in place to prevent such abuse of uncollateralized loans. We’ll touch upon that right after we explore a couple of examples of flash loan attacks.

Flash Loan Attack Examples

So far, there have been dozens of occurrences of flash loan attacks. Here’s just some of the biggest ones.

Cream Finance

C.R.E.A.M. Finance has been under attack multiple times in 2021. One of the biggest heists involved $130 million. The culprits stole CREAM liquidity tokens, amounting to millions of dollars over an undisclosed amount of time. All the losses are visible on-chain, and the culprits have yet to be caught.

Luckily, the loophole was only a part of Cream’s DeFi system, as the platform of their merging partner, Yearn Finance, remained safe. As with the majority of DeFi protocol hacks, the attackers used multiple flash loans and manipulated the pricing of the oracle.

With the help of Yearn’s team, the platform quickly patched the vulnerability.

Alpha Homora

In February 2021, a hack on the Alpha Homora protocol resulted in a loss of $37 million. The flash loan attacker also used C.R.E.A.M. Finance’s Iron Bank through a series of flash loans. The Iron Bank is the lending arm of the Alpha Homora protocol. 

The hackers repeated the process multiple times until they amassed CreamY USD (or cyUSD), then used the tokens to borrow other cryptocurrencies. The hack was quite complex and involved numerous steps. Essentially, the attacker heavily manipulated the sUSD pool of HomoraBank v2.

They performed a series of transactions and flash loans, allowing them to abuse the lending protocol between HomoraBank v2 and the Iron Bank. You can explore the Alpha Homora attack post mortem in greater detail to see what hackers did.

Additionally, they exploited the rounding miscalculation of the borrowing calculations in situations when there’s a single borrower. 

dYdX

There are cases when gaming the protocols requires the right timing and manipulation of prices. That was the case with a dYdX exploit early in 2020. The attacker used the platform to get the flash loan, then split up the funds and used them on two trading platforms — Fulcrum and Compound.

The first part was used on Fulcrum in exchange from ETH to WBTC. In the process, the Kyber Network got the order in through Uniswap’s DEX. The catch was that Uniswap’s low liquidity pool drove WBTC’s price incredibly high.

Simultaneously, the attacker used the second part of the loan on the Compound platform to get a WBTC flash loan. As the price skyrocketed on Uniswap, the attacker quickly made the exchange — and a significant illegal profit.

PancakeBunny

In May 2021, a hacker put the PancakeBunny platform to the test by stealing close to $3 million. The hacker first leveraged PancakeSwap to get a big BNB loan. During the attack, the hacker manipulated the BUNNY/BNB and USDT/BNB trading pairs.

After that, a large flash loan provided the hacker with an enormous amount of BUNNY tokens, which he immediately dumped, paying back BNB and disappearing with the profits. The whole ordeal led to a shocking drop in PancakeBunny’s price from $146 to $6.17.

How Do I Prevent a Flash Loan Attack?

As more attacks keep occurring, security experts are learning more about various flash loan exploits. All the vulnerabilities in the examples mentioned above have been patched, and their occurrences have given birth to two popular solutions.

Decentralized Pricing Oracles

As most flash loan attacks depend on price manipulation, it’s necessary to counter this approach with decentralized pricing oracles. Good examples are Chainlink and Band Protocol. These platforms keep all protocols safe by presenting the accurate pricing of different cryptocurrencies.

For example, DeFi attacks like the one that happened to dYdX won’t be possible because the protocols won’t get their price feed from a single DEX.

Alpha Homora now uses Alpha Oracle Aggregator to prevent history from repeating itself. We’ll see more systems like this as the DeFi market size keeps growing.

Implementation of DeFi Security Platforms

The DeFi ecosystem uses cutting-edge technologies that are reshaping the outlook of international financial systems. This kind of attention puts a great burden on the whole system.

The good news is that there are already specific platforms which tackle the current security challenges. OpenZeppelin is the perfect example. Its role in the whole ecosystem is to protect smart contracts and DeFi platforms as a whole.

Aside from smart contract auditing capabilities, solutions such as the Defender Sentinels provide ongoing protection from flash loan attacks. Developers can use the tool to automate their defense strategies, quickly pausing whole systems and deploying fixes.

That kind of quick response is essential for mitigating the possible damage that a flash loan attack can incur.

Big players such as Yearn.finance, Foundation Labs, dYdX, Opyn, The Graph, PoolTogether and many others are already using the platform to neutralize attacks on their systems.

Are Flash Loans Risk-Free?

When everything’s running as intended, flash loans are entirely risk-free. The borrower and the lender can benefit from the transaction if they meet all the smart contract conditions.

From the lender’s perspective, they’re never giving away any money. It’s all artificial and becomes a part of the blockchain information if the borrower takes all of the necessary steps. If the borrower defaults, the same transaction is simply rejected.

The lender still has their funds, and the borrower doesn’t owe any money to anyone.

On the other hand, the borrower can only make a profit. They can use the borrowed funds to make a profit from an arbitrage in the crypto market. If the transaction falls through, the money simply goes back to the lender.

Ideally, the design of the system ensures risk-free, instant borrowing and lending. However, to ensure that everything is risk-free, smart contracts need to cover all of the transaction details. That way, there are no susceptibilities for attackers to exploit.

Therefore, when it comes to flash loans, the biggest risks that currently plague the DeFi ecosystem are data leaks, plus smart contract bugs that allow these attacks.

Even though things aren’t looking perfect now, over time, these systems will ultimately become secure. With platforms such as Chainlink and OpenZeppelin, flash loan attacks will likely become a part of history.

The Bottom Line

Flash loans are another great addition to the DeFi ecosystem. While they’re currently prone to attack, the tide will turn in the future. 

As developers write better smart contracts, and more systems deploy security tools and decentralized oracles for pricing, we’ll see a decreasing number of attacks coming from hackers.

If you’re thinking about whether flash loans are a good investment, we believe the answer is yes. Remember, there’s always at the very least a low risk of a flash loan attack, so carefully use your cryptocurrencies when lending them on DeFi platforms.

Eager to learn more about DeFi lending? You can find all the specifics in a detailed guide on our blog.