Which DeFi Projects Have Been Hit by Flash Loan Attacks?
Flash loans used to exploit smart contracts and price oracles of DeFi platforms are causing the decentralized finance sector to lose hundreds of millions of dollars annually. These incidents are commonly known as Flash Loan attacks.
For example, in 2021 alone, flash loans were a vehicle to siphon off roughly $364 million from various dApps. This is primarily because express loans can be granted in substantial amounts in a matter of minutes, without any collateral or hefty commissions. The only requirement is to repay the debt swiftly (in the same block where the loan was initiated) to prevent the loan from being canceled. While these loans carry significant risks, they are popular amongst traders and arbitrageurs who use the funds for market speculation.
However, they also magnetize hackers who see in this an unfettered chance to amass capital for manipulative actions. Let's explore some of the most recent large-scale attacks on DeFi applications that made use of flash loans.
Euler Finance
In March 2023, the crypto lending platform fell victim to a malevolent actor who purloined $170 million in diverse cryptocurrencies and tokens. Remarkably, after a round of negotiations with the protocol team, almost all the looted funds were returned.
The onslaught was bankrolled by a flash loan procured from the DeFi platform Aave, comprising 30 million DAI stablecoins. These were employed as collateral on the Euler Finance platform to secure a separate loan amounting to $200 million.
Next, the miscreant exploited a loophole in the Euler Finance protocol's "Donate To Reserve" smart contract function. This function was intended to channel user funds into a reserve address. However, the intruder found that this feature neglected to consider the liquidity of borrowing users. Therefore, the infiltrator managed to artfully create insufficient leverage for their account, leading the platform to liquidate their smart contract along with the embezzled protocol funds.
Beanstalk
In April 2022, the DeFi protocol Beanstalk was also compromised. The total booty amounted to $181 million, but post accounting for the flash loan costs and charitable donations, the raider ended up with $76 million. Interestingly, some of the purloined cryptocurrencies were transferred to the Ukraine Crypto Donation wallet.
The malefactor availed a Flash Loan, using it as a deposit into the decentralized pool governing the Beanstalk project. Subsequently, they utilized the "Emergency Commit" function in the smart contract to single-handedly vote for a proposal that moved funds to their address. This maneuver was facilitated by them controlling over 70% of the votes due to the substantial deposit they made.
Cream Finance
Cream Finance suffered a significant security breach in October 2021, leading to a loss of $130 million. The attack was carried out from two distinct addresses. The attackers initially secured flash loans in YUSD stablecoins through third-party apps. Following this, they exploited a vulnerability within Cream Finance's decentralized storage calculation logic, which allowed them to double their deposit and then extract it.
Overall, the culprits borrowed roughly $1.5 billion in crypto. However, due to the storage glitch, this became $3 billion in pledged digital assets on the platform. Some of these funds were used to repay the flash loans, but the remaining collateral—approximately $1 billion—on Cream Finance was used to siphon off $130 million in various cryptocurrencies.
Fei Protocol
Fei Protocol was targeted in April 2022, resulting in an overall loss of about $80 million. The platform's DeFi pools fell victim to the breach. As seen in previous incidents, the hacker activated a flash loan to exploit these funds within the vulnerable platform.
The attacker exploited a flaw in the smart contract function governing borrowing. Moreover, the platform's inadequate security system enabled repeated attacks. The problem with Fei Protocol was that after the initial deposit was made, the hacker was granted almost limitless borrowing access. The attacker quickly transferred all the borrowed ETH and other tokens to their address before any records could reflect their inability to pay.
Pancake Bunny
The Pancake Bunny protocol fell prey to an exploit in May 2021. A hacker manipulated the data of the internal oracle responsible for the pricing on the platform. The malefactor carried out eight transactions, which netted him wrapped BNB tokens worth $45 million.
The culprit obtained a substantial loan of BNB tokens through the Pancake Swap exchange and proceeded to manipulate the USDT/BNB and BUNNY/BNB rates on the Pancake Bunny platform. As a result of such manipulations, the price of the protocol's own BUNNY token plummeted by 95%.
The attack occurred because the Bunny Protocol calculated swap values without relying on external blockchain oracles, which provide access to true prices. Operating solely with internal price data is a well-known issue in DeFi.
Aside from the mentioned DeFi applications, many other projects have suffered losses due to Flash Loan attacks. For instance, Alpha Finance ($37 million), Spartan Protocol ($30 million), Xtoken ($24 million), Elephant Money (~$22 million), bEarn ($18 million), Saddle Finance ($11 million).