Flash Loan Attacks: The Dark Side of DeFi
Flash loans, a feature offered by certain DeFi platforms, allow users instant cryptocurrency borrowing without collateral or credit checks. This facility, however, has become a tool for swindlers.
The swift and effortless process of obtaining substantial funds, provided they are returned within a stipulated period, draws in a multitude of traders, arbitrageurs, and unfortunately, hackers. While the former utilize the funds for asset price speculation, hackers deploy flash loans to exploit and pilfer cryptocurrencies from vulnerable third-party dApps..
DeFi app hacks involving unsecured loans are regarded as the least expensive and most elusive, making them a preferred choice for malefactors. Consequently, an entire genre of exploits has come to the fore, known as Flash Loan Attacks.
How does the flash loan attack infiltrate DeFi's defenses?
A hacker secures a flash loan from a DeFi application, often amounting to tens of millions of dollars. Their next steps are contingent on their strategy, tactics, vulnerabilities of the targeted victim, and the perpetrator's objectives.
The hacker could potentially manipulate the price of the borrowed asset on a specific exchange to their advantage by exploiting blockchain oracle shortcomings.
However, more often, hackers pinpoint defects and inaccuracies in the smart contract code that can be repurposed for pilfering digital assets. They require flash loans to leverage the services of a susceptible DeFi platform to bolster their initial deposit and steal funds. Post profit, the hacker returns the originally borrowed cryptocurrencies. Failure to do so would result in their loan being annulled, causing a disruption in the transaction history and sabotaging the entire plot. This sequence of events can transpire within a ten-minute window - or to be precise, the time it takes to form a block in the blockchain.
The most recent infamous attack using a flash loan took place in March 2023. This incident is a classic example of how such an exploit operates.
A hacker secured an instant loan of $30 million in DAI stablecoins from the Aave platform. They subsequently transferred $20 million in DAI as collateral to Euler Finance to borrow ten times their initial funds. They executed this move to leverage a vulnerability in the smart contract that allowed them to redirect all funds to their personal address.
Ultimately, around $200 million was siphoned off from the Euler Finance crypto lending platform, and its native EUL token nosedived by 45%. However, following the incident, protracted negotiations with the hacker commenced, accompanied by heartfelt pleas from platform users for the restitution of their funds. Euler Finance reported that the hacker not only reimbursed the losses but also tendered an apology.
How do DeFi platforms counter this?
Luckily, there are tools and preventative strategies that safeguard decentralized finance apps from significant financial loss. For instance, to prevent price manipulation on a DEX, a platform can set up an automatic algorithm that halts trading during times of low liquidity or unexpected rises or drops in price. If a hacker detects this kind of mechanism on the platform, they'll likely avoid using a flash loan to attack the trading platform.
The main defensive tools include:
- Control features that regulate access to certain platform functionalities;
- Utilizing trustworthy libraries and frameworks, such as OpenZeppelin, for the execution of smart contracts;
- Organizing audits of smart contracts through credible blockchain cybersecurity firms;
- Integrating various blockchain oracles to secure more precise pricing data.
In addition to these, DeFi platforms set restrictions on issuing flash loans and other borrowing-related services. Having these limitations can lessen the risk of flash loan attacks, as the prospect of manipulating large sums within a single transaction attracts hackers.
Temporarily blocking the use of cryptocurrencies following a loan issuance also deters perpetrators. In this case, one can examine the agreement details for suspicious nuances.
However, based on the frequency of flash loan attacks, it appears not all DeFi platforms are employing these countermeasures.