What Is a Flash Loan Attack?

Written By Malik Ali

Removal of uncollateralised loans from lender protocols to control the marketplace according to one’s advantage along with the use of other gimmicks is called a Flash Loan Attack. This is a type of decentralised finance (DeFi) attack done by Cyber Thieves that happens in a matter of seconds and assaults four DeFi protocols. 


Since these Flash Loan Attacks are inexpensive and easy to execute, they are listed as the most prominent DeFi attacks. Since 2020, the Flash loan attacks have been getting worse leading to a loss of several hundred million dollars after the rise of DeFi.  

<a href="https://www.freepik.com/free-vector/scammer-mask-stealing-cryptocurrency-from-mining-pool-laptop-hidden-mining-miner-bot-mining-virus-concept_11667611.htm#fromV

How Do Flash Loan Attacks Work?

To manipulate the price of cryptocurrency, exploit the vulnerabilities in DeFi smart contracts, or steal funds from the protocol, the flash loan attacks rely on temporary liquidity given by flash loans. Normally, the attacker follows a three-step procedure to execute a flash loan attack, those three steps are;

  • The attackers obtain large amounts of cryptocurrencies from a DeFi site through flash loans without offering any collateral. 

  • By taking advantage of a flaw in the DeFi smart contract with the borrowed money, the attacker controls the value of his target cryptocurrency. 

  • The attacker gives the borrowed money back to the lending platform after repaying the flash loan, typically inside the same transaction block.

Repaying the loan inside the same transaction block is essential to the success of a flash loan assault. Because of this, the attacker can benefit from short-term cash without having to offer any collateral, making it challenging for lending platforms to defend against these kinds of attacks.

Why Flash Loan Attacks Are Common in DeFi?

Criminals view flash loans as risky because they are low-risk, low-cost, and high-reward operations. These are the main causes of the rise in flash loan attacks.

Flash Loan Attacks Are Cheap

Flash loans just demand three things to operate: a computer, an internet connection, and most crucially, creativity. This is in contrast to 51% of attacks, which take enormous resources to execute. It appears that hackers must prepare their assault strategy in advance, even though carrying it out just requires a few minutes or seconds.

Flash Loans Attacks Are Low-Risk

There is risk involved in any illegal operation but just think of robbing a bank without having to enter the building. This is a very rough summary of the attackers of flash loans. The ease with which one may get away with stealing from DeFi protocols has been demonstrated over the past 18 months.

Examples

1. Euler Finance

One of the largest and most recent hacks at the same time. The hacker took advantage of a mistake in the platform's rate computation.

The two primary token types used by users of the Euler Finance platform for lending and borrowing are dTokens, which represent debt, and eTokens, which represent collateral. A hacker took advantage of a weakness in the eToken feature of the platform, resulting in the improper changing of borrowed assets into collateralized assets. 

A leading bot and the hacker's wallet were the two main on-chain entities they were working with. An authorised mixer named Tornado Cash provided them with the first funding they needed to pay for gas and draft the relevant contracts.

The hacker used the DeFi protocol Aave to obtain a flash loan worth roughly $30 million in DAI. They received an equivalent amount in eDAI tokens after depositing $20 million of the DAI onto Euler's platform. Through the utilisation of the platform's borrowing feature, the hacker was able to obtain ten times the initial money deposited. They borrowed money until the flash loan was closed and paid back some of the purchased debt with the $10 million in DAI that was left over.

Euler lost about $197 million worth of cryptocurrencies in DAI, wBTC, stETH, and USDC as a result of the hack. The native token of Euler, EUL, likewise saw a drop of around 45%.

2. Cream Finance

Ethereum's DeFi platform, Cream Finance, ranked second on the list after suffering a large $130 million loss due to a hack on October 27, 2021. In this instance, the hacker used sophisticated techniques to carry out the attack, making numerous payments and withdrawals. It wasn't a straightforward flash loan attack.

In conclusion, the hacker used $2 billion in collateral to borrow $1.5 billion in USD vault shares from the Yearn protocol. Then, after giving the same amount of USD to Yearn Vault, he increased the value of the shares, making the debt on Cream $3 billion against $2 billion in collateral. The hacker's profit is $1 billion, but since Cream only had assets valued at $130 million, that amount became the hacker's entire gain.

 

3. PancakeBunny Attack

The price of the USDT/BNB and BUNNY/BNB vaults were manipulated by an unidentified hacker using a flash loan attack to take out a "huge amount" of BNB tokens from PancakeSwap, according to PancakeBunny's Twitter account. Following the acquisition of a substantial quantity of BUNNY tokens, the attacker repaid his flash loan by selling all of them on the open market. On Twitter, PancakeBunny stated

A sizable quantity of fictitiously inflated BUNNY tokens was obtained by the attacker, who then reinjected them into the marketplace. As a result, BUNNY's price crashed by 95%, from $146 to $6.17 per token.

4. Alpha Homora Protocol Hack

A multi-transaction attack was used to breach Alpha Finance's vaults, and a clever Defi ruse was used to take $37.5 million.

During the first stage of the attack, the attacker borrowed USD 1,000e18 from HomoraBankv2 using UNI-WETH LP as collateral. The attackers' contract tricked the Homora code into believing that their malicious contract was their own, allowing them to manipulate internal debt numbers in their system. The Alpha Homora governance token ALPHA's price dropped from $2.25 to $1.78 as an outcome of the attack.

5. ApeRocket Flash

The ApeRocket, a DeFi yield farming aggregator, saw a rough 63% price collapse after two flash loan attacks it suffered leading to a loss of $1.26 million. 

How to Mitigate Flash Loan Attacks

The dangers of flash loan attacks can be reduced by strictening the lending and borrowing guidelines, enhancing transparency and control of the DeFi platform, and by the inclusion of a capped amount of cash obtained in a flash loan. 

Secure smart contracts and routine audits should be carried out every two days to prevent any possible flash loan assaults. This precaution gives access to addressing and locating any possible vulnerability in the code before it is utilized by an attacker for his gain.


To avoid flash loan attacks, it is best to use smart contract security features, slow down transactions, and include limited rates. 

Conclusion

Users need to understand the risks that come with the DeFi ecosystem and should always take certain precautions to stay safe from flash loan assaults. Also, it is immoral to take advantage of the ever-evolving DeFi ecosystem weaknesses to gain improper benefits. One should always act morally and responsibly. 



Malik Ali
Previous

What are Crypto Reconciliations? 
Next

Cryptocurrency Staking and its Tax Implications