Introduction

Blockchain is a complex financial system to make decentralized finance possible. The invention of the blockchain has paved the way for several types of DeFi protocols that are faster, better, and easier to use.

One of the most utilized types of DeFi applications are lending protocols. However, there are risks associated with lending protocols such as Flash Loan Attacks. This article is going to discuss everything about Flash Loans Attacks and how to avoid them.

What is a DeFi Lending Protocol?

The first exposure to any type of lending services for most people is in the form of banking services and other financial corporations. The custom of going to lending money from individuals has become very rare because centralized banking is safer and more humane.

However, to apply and get approved for a loan from any bank a user has to go through a rigorous screening process and a mountain of documentation. Therefore, DeFi has made way for creating an application that allows people to borrow and lend money without having to deal with the delay and other obstacles.

How does a DeFi Lending Protocol Work?

The DeFi Lending Protocols are essentially decentralized applications. It is important to note that there are five layers of DeFi namely the settlement layer, asset layer, protocol layer, application layer, and aggregation layer.

DeFi lending protocols can be categorized in the application layer. They are decentralized applications that allow users to offer loans or borrow funds to make profits from their crypto trading ventures.

Most DeFi protocols operate as a peer-to-peer methods meaning that they enable lenders and borrowers to transact with each other. P2P protocols match the lenders and borrowers based on their requirements such as interest rates, total borrowing amount, collateral, loaning duration, and others.

Some lending protocols also offer to lend from liquidity pools, automated market makers, and other DeFi pools made of a mixture of different cryptocurrencies.

What is a Flash Loan?

Flash Loans or Atomic Loans are one of the unique methods of lending that are exclusive to DeFi markets only. It is a type of lending method where the users can make massive lending transactions in a matter of seconds or minutes. The purpose of this type of lending is to allow the users to generate profits based on the minor price changes happening in the cryptocurrency prices.

Flash Loans are a very intricate method of borrowing funds. They are not only instant but also considerably easier to process in comparison to the typical DeFi loans. Furthermore, unlike regular loans, Flash Loans are wholly uncollateralized.

They are unsecured loans that do not require critical checks such as credit scores, background verification, user authentication, etc. They are carried out using smart contracts and are fully automated. A Flash Loan requires confirming the payback amount in advance before the transaction cycle starts.

How do Flash Loans Work?

At first glance, it can seem that Flash Loans carry a massive amount of risk because they are essentially unsecured. However, it is important to note that in terms of user safety Flash Loans are one of the safest ways to conduct a DeFi transaction. Flash Loans are secure because they are performed by smart contract only if the required conditions are met.

The user of the Flash Loan protocol has to submit the loan transaction from start to finish in advance. The smart contract will process the data and only carry out the transaction if the input data is similar to the expected output. In case the output is different from expectation, the smart contract will process the Flash loan but reverse it back to 1st stage.

There are some DeFi protocols like Arbitrage that offer users to take out Flash Loans and earn profits through several crypto exchanges.

Origin of Flash Loans

The first Flash Loan was introduced by The Marble Protocol in 2019. It was a DeFi lending application built on the Ethereum blockchain. The concept introduced by Marble Protocol was to offer a smart banking option for risk-free lending using smart contracts.

Marble developers worked on solving the two major issues connected to the traditional loaning process. The first one was the risk of borrowers defaulting their credit and the second one was the insufficient liquidity available from the lender.

In case, an established lender is unable to receive several important loan payables on time they can run out of reserves to keep them operational and threaten to send them out of commission due to temporary or permanent loss of liquidity.

Flash Loans introduced by Marble Protocol addressed both these issues by mandating a full cycle of loans to be calculated beforehand. Every Flash Loan is in one full transaction cycle rather than in two steps of first lending and then waiting for the interest payments and main loaned amount in installments.

Flash Loans are only limited to DeFi lending protocols such as AAVE and centralized cryptocurrency exchanges cannot offer them because they take place directly on the blockchain.

What is a Flash Loan Attack?

Flash Loans have eliminated several issues connected to the regular lending process. However, it is still susceptible to some risks and one of the most common drawbacks associated with Flash Loans is Flash Loan Attacks. It is like a hack attack or an exploit that is done by triggering a load of a flash loan requests to the targeted smart contract.

Flash Loan Attacks are considerably common because they do not require any type of collateral and they take place on DeFi layers meaning that users can access them without account verification hassle or going through any type of screening.

How do Flash Loan Attacks Work?

It has been mentioned earlier that Flash Loans are processed using smart contracts. It is important to note that smart contracts are automation programs that are designed to carry out commands if the required conditions are met. To perform a Flash Loan, the user must enter all the details of the complete transaction including the loaning amount and the total payable.

This data is fed to the smart contract so that it can work out if the transaction will generate the same outcome. The smart contract can make these calculations in a matter of microseconds and it will only process the Flash Loan if the outcome is following the anticipated results.

Otherwise, the smart contract declines the request or reverses the transaction. The attackers carry out this attack by borrowing a massive loan from a Flash Loan protocol and manipulating the price of the borrowed cryptocurrencies on decentralized exchanges to sell them and generate massive profits.

It can look like a complex and sophisticated form of the pump and dump method. The attackers may incite a sell-off to drop the price of a targeted currency or fake supply drainage to artificially inflate prices depending on their Flash Loan attack requirements.

The Most Notorious Flash Loan Attacks of All Time

Here are some of the biggest Flash Loan Attacks recorded in the DeFi sector since its inception in 2019:

PanCakeBunny Flash Loan Attack

PanCakeBunny is a yield farming aggregator protocol running on the Binance Smart Chain. The Flash Loan attack on this protocol took place in 2021. The perpetrator of this attack took advantage of a technical exploit that allowed them to decline the prices of its native token by 95%. The attackers started by borrowing a massive amount of BNB using PancakeSwap.

They used their borrowed funds to manipulate the prices of USDT and BUNNY token pairs with BNB in the PanCakeBunny Pools. In this manner, they were able to exchange their BNB for a massive amount of BUNNY tokens and in the last stage the hackers dumped the BUNNY token resulting in a massive price crash and they settled their Flash Loan through PancakeSwap.

According to careful estimates the hackers made around $ 3 million and destroyed the PanCakeBunny protocol permanently.

Cream Finance

CREAM Finance is a decentralized lending protocol that has been targeted by hackers on several occasions. The Flash Loan Attack took place on this DeFi application in 2021 and resulted in hackers getting away with $130 million in exploits.

Hackers invaded the protocol by discovering a loophole that connects Cream Finance with its sister protocol called Yearn Finance. The hackers proceeded to carry out a series of hefty flash loans to manipulate the oracle to manipulate the prices of their intended cryptocurrencies.

Therefore, the losses generated from this attack were also registered on-chain and hackers are still at large. However, the devs at Yearn Finance were able to patch the issue to prevent any further damage.

Alpha Homora

Alpha Homora Flash Loan attack took place in 2021. The hackers in this instance also exploited the Iron Bank option offered by Cream Finance. They carried out a series of Flash loans and enforced Alpha Homora to apply for liquidity using Iron Bank. Hackers kept generating these flash loans until they collected a sizable amount of CreamY USD or cyUSD. This hack attack consisted of many layers and stages.

The hackers were able to manipulate the sUSD pool of HamoraBank v2. They were able to exploit the lending coordination between the Iron Bank and the HamoraBank v2. They generated $37 million by taking advantage of a rounding error in the lending smart contracts.

dYdX

dydX is a DeFi lending protocol and it has also been subjected to one of the biggest Flash loan attacks in recorded history. The attackers carried out their heist in 2020. They took out massive loans from dydX and divided them between two trading protocols namely Compound and Fulcrum.

The first phase of the attack involved exchanging ETH into a WBTC tokens using Uniswap. Hackers picked Uniswap intentionally because the low liquidity of WBTC in that protocol had inflated its prices.

The next stage of the attack happened on a Compound where hackers also took out a WBTC loan. Since the prices of the said cryptocurrency were already shooting high on account of the decreasing liquidity on the Uniswap DEX, the attackers quickly made converted their WBTC stash and generated massive funds illegally.

ApeRocket Incident

Another noteworthy Flash Loan Attack took place on the ApeRocket yield farming protocol. This incident took place in 2021 on the BSC network and Polygon fork. Threat actors carried out two flash loan attacks using AAVE and PanCakeSwap with a time difference of a few hours.

They started by borrowing a sizeable portion of CAKE and AAVE and storing their funds within the lending protocol. Later, a massive amount of tokens were sent to the protocol value resulting in minting an aggressive number of native tokens.

Eventually, hackers dumped these tokens. This attack resulted in a 63% price crash for SPACE and ApeRocket tokens. Hackers got away with $1.26 million but the protocol issued a detailed plan to compensate the users who suffered from losses on account of these Flash Loans.

Are Flash Loan Attacks Common in DeFi?

Many cryptocurrency investors must have heard about the idea that Flash Loans are pretty common in the DeFi sector. Some accept it as a genuine concern associated with the DeFi lending protocols while others dismiss it as FUD. The fact of the matter is that Flash Loan Attacks have been classified as one of the easiest modes of DeFi exploits. When hackers take out Flash loans they do not have to make a lot of preparations or do not need to recruit many threat actors to carry it out.

On the other hand, Flash loans are uncollateralized so there is no need for submitting collateral that can serve as an escrow or warranty against foul play or a possibility of loan default.

Hackers who have enough technical knowledge, time, and a working internet connection can carry out these attacks at any time. The only hurdle in carrying out a successful flash loan attack is careful calculation and planning of all steps.

However, the execution time spans from mere seconds to a few minutes and the reward of the exploit is often massive. It happens because Flash loans generate mega profit margins by investing heavily. Additionally, Flash Loans are very risk-averse.

There are usually no consequences for the hackers because these activities took place in a DeFi environment which falls outside of regulatory protection. To date, any Flash Loan attackers have not been apprehended by law enforcement or private cyber security firms reportedly. Hackers can cash their loot using privacy cash-washing protocols such as Tornado Cash.

How to Avoid Flash Loan Attacks

Flash Loans are a great method for generating quick profits without getting exposure to financial risks. Cryptocurrency investors who wish to avoid the Flash loan attacks can use the following method to protect themselves:

Decentralized Oracle Adoption

Oracles are like sensors that feed the information to a blockchain protocol from the outside world. The DeFi platforms that have adopted reliable Oracle protocols such as Chainlink are safe from the threat of Flash Loan attacks.

In most cases, hackers try to manipulate the prices of a given cryptocurrency in a targeted DeFi protocol by taking out massive loans or flooding them with a given token. However, if the DeFi protocol can keep confirming the real prices of a given cryptocurrency using oracle platforms they are less prone to such exploit attempts.

After suffering from a massive Flash Loan Attack, Alpha Homora has now launched Alpha Oracle Aggregator to prevent such events in the future.

Two Block Transactions

A DeFi analytics firm called Dragonfly Research has suggested processing every flash loan transaction to process through two blocks as a preventive measure. This method is not a foolproof way to prevent Flash Loan Attacks and is susceptible to design flaws.

On the other hand, hackers may also launch a flash loan attack on both designated blocks to counter this measure. This method can also disable synchronous transactions and change the user interface of the DeFi protocols drastically.

Flash Loan Attack Detection Tools

There are also some dedicated detection tools developed by blockchain developers to intercept flash loans. One of the major risks associated with Flash Loan Attacks is that in most cases, the users and developers are not able to sense them until it has already been completed.

However, there are some early detection tools like OpenZepplin Defender. This is designed to reveal any attempt of exploiting the smart contracts and report every unusual activity. In case of detection, the affected smart contract can reverse or block the suspicious activity and neutralize the attack.

Conclusion

Flash Loan Attacks are increasing. On the other hand, the unique method of carrying out flash loans to make instant profits with zero-risk exposure has also gained popularity among investors. Rather than turning away from this incredible opportunity, investors can adopt the preventive measures mentioned above to arm themselves against hackers.

It is best to choose DeFi protocols that have a proven track record and a solid technical team with a history of regular technical audits to avoid exposure to Flash Loan Attacks and other exploits.