What are flash loans in DeFi?

Published at: Jan. 22, 2022

How can DeFi systems protect themselves from flash loan attacks?

A large majority of DeFi hacks are flash loan attacks. Since the technology is new, vulnerabilities are not readily apparent and may require skilled developers to identify. 

Flash loan attacks can cost DeFi protocols and their users hundreds of millions. As such, safeguards must be put into place to ensure that a protocol is robust and sanitized.

Despite being vulnerable to attacks, there are several preventive measures that DeFi systems can take to protect themselves:

Decentralized pricing oracles to protect against slippage

Contracts are left vulnerable to manipulation and exploitation when they perform their own calculations of a particular token’s value or trading pair value internally. 

As such, flash loan attack risks can be mitigated by using decentralized pricing oracles such as chainlink and band protocol to fetch price feeds. By doing this, instead of relying on singular DEX platforms, DeFi systems can avoid becoming vulnerable to arbitrage scams.

Smart contracts may continue updating their prices based on the supply and demand of various tokens within their market. However, the price ranges should also be limited in reference to external values. When smart contracts work this way, it would be much more difficult for attackers to create slippage and make attacks profitable. 

Tools for detecting possible attacks

DeFi platforms can use tools that minimize the possibility of attacks by detecting unusual activity, along with smart contract bugs and exploits. 

As such, defenses can be put in place even before an attack is launched. 

It is also vital for platforms to conduct security audits to address vulnerabilities before launching a smart contract. This would require reviewing the smart contract’s code for any weaknesses and addressing them even before the attacker has an opportunity to use it against the platform and its users.

Why do flash loan attacks occur in DeFi?

Flash loan attacks are common because they are the easiest and quickest to pull off. 

This is because the protocols associated with flash loans are not yet foolproof against new attacks and manipulations. With transactions happening in mere seconds, hackers can attack multiple markets in one go. 

The most common flash loan attacks in DeFi are fake arbitrage opportunities, which we mentioned above. In a flash loan attack, an attacker creates an arbitrage opportunity by modifying the relative value of a trading pair of tokens. This can be done by using their loaned tokens to flood a contract and create slippage.

What are flash loan attacks?

Flash loans are relatively new technology and, therefore, prone to attacks by hackers and malicious users who try to game the system and use it to their advantage. 

In a flash loan attack, a borrower can trick the lender into believing that the loan has been repaid in full, even if it has not.

Technically, the thief poses as a borrower and takes out a flash loan from a lending protocol. The protocol is then used to manipulate the market and trick lenders. In some cases, attackers create arbitrage opportunities to exploit vulnerable smart contracts. This way, the attackers can purchase tokens for cheap or sell them at higher prices to exploited contracts.

Uses of flash loans

Flash loans are used in DeFi protocols, which are based on the Ethereum Network and Binance Smart Chain. 

Aside from Aave flash loans, dYdX flash loans, DEX flash loans and Uniswap flash loans have also risen in popularity. On Uniswap, for example, “flash swaps” allow users to withdraw or take back Ethereum-based tokens paired with other tokens. 

While they may have been originally designed for developers, as of August 2020, flash loans without coding are easily accessible to less tech-savvy users. The credit for this goes to platforms like Furucombo and DeFi Saver, among others, who eliminated the need for technical coding skills.

Flash loans can be used for the following:

Flash loan arbitrage

One way for traders to make money is by pinpointing price discrepancies across various exchanges. 

For example, if two markets price a cryptocurrency differently, a trader can use a flash loan. The trader can call separate smart contracts to purchase and sell from both markets, making a profit from the price discrepancy between the two. 

Collateral swaps

This involves a quick swap of the collateral backing a user’s loan for another type of collateral. 

Collateral swaps enable DeFi users to switch the collateral that they used to take out a flash loan on a lending app. For example, if a trader used their Ethereum (ETH) as collateral on one platform, they can then take out a flash loan to repay the previous loan and withdraw their Ethereum (ETH).

Debt refinancing

Aside from collateral swaps, flash loans can also be used for “interest rate swaps.” 

Aave cites an example on their blog:

Borrow assets from Aave liquidityPayback debt on CompoundWithdraw collateral from CompoundDeposit collateral on DydxMint debt on DydxReturn liquidity to Aave

How do flash loans work?

Simply put, in a flash loan, funds are borrowed and returned within seconds and in a single transaction. 

The smart contract sets out the terms and performs instant trades on the borrower’s behalf using the loaned capital. If the flash loan yields a profit, it is typically charged a fee of 0.09%. 

On a platform such as Aave, this is how flash loans typically work:

The borrower applies for a flash loan on Aave.The borrower creates a logic of exchanges to try making a profit, such as sales, DEX purchases, trades, etc.The borrower repays the loan, makes a profit, and pays a 0.09% fee. If any of the following conditions occur, the transaction is reversed, and the funds are returned to the lender:The borrower does not repay the capitalThe trade does not lead to a profit

The above conditions suggest that what was laid out in the smart contract wasn’t met. As such, the funds are returned to the lender instantaneously.  Theoretically speaking, flash loans are a low-risk option for both the borrower and the lender. Flash loans are typically seen as an easy, low-risk way to play with liquidity. 

Can you make money with flash loans? Aave recommends having a good grasp of Ethereum, programming and smart contracts to make the most out of flash loans. Ideally, you can make money with flash loans, provided you do not fall prey to flash loan attacks. It would help if you thoroughly researched the protocols you want to borrow from and trade with, as well.

What are flash loans?

Similar to traditional loans, flash loans are expected to be paid back in full eventually. However, there are also marked differences.

In typical lending processes, a borrower loans money from a lender. The amount is expected to be paid back in full eventually, with interest, depending on the terms discussed between the lender and the borrower. 

Flash loans operate on a similar framework but have some unique terms and premises:

Use of smart contracts

A smart contract is a tool used in most blockchains to ensure that funds do not change hands until a specific set of rules are met. 

When it comes to flash loans,  the borrower is required to repay the full amount of the loan before the completion of the transaction. 

If this rule is not followed, the transaction is reversed by the smart contract and the loan is nullified as if it never took place at all. 

Unsecured loan

Unlike a traditional loan, a flash loan is an unsecured loan, meaning no collateral is needed. 

However, this does not imply that the flash loan lender does not get their money back in case of non-payment. In a traditional loan, collateral is typically put up to ensure that the lender receives the money back in the event of non-payment.

Flash loans, however, happen within a very short timeframe (usually a few seconds or minutes). This means that while no collateral is needed, the borrower must return the full amount they borrowed right away.

Instantaneous transactions

As opposed to longer processes for traditional loans, flash loans are processed faster, thanks to smart contracts. 

Getting a traditional loan approved usually is a long process. A borrower must submit documents, wait for approval, and pay the loan back in agreed increments within a stipulated period that may run into days, months or years. 

On the other hand, a flash loan is expedited in an instant, which means that the loan’s smart contract must be fulfilled during the transaction for which it’s lent out. Therefore, the borrower is required to call on other smart contracts, using the loaned capital to perform instant trades. 

The kicker: All this must be done in a few seconds before the transaction ends. Hence, the name: flash loans.

How did flash loans originate?

Unlike normal loans, flash loans do not require a borrower to provide typical requirements such as proof of income, reserves, or collateral. 

While that may sound favorable to the borrower, there are pros and cons. Decentralized finance (DeFi) protocols have contributed to the popularity of flash loans. And most of these are on the Ethereum network.

Aave, an Ethereum lending platform, introduced the idea of flash loans in 2020. As such, the concept remains relatively new and still has a lot of issues to fix. According to Aave, flash loans have “no real-world analogy” and are “an advanced concept aimed at developers.” 

In this article, we’ll be discussing the basics of so-called DeFi flash loans, as well as the safety issues and use cases typically associated with them. Let’s dive in.

Tags
Related Posts
Crypto app makes yield farming accessible to all
A crypto app that makes crypto asset management accessible to everyone says it is delivering the best of all worlds by bringing the advantages of centralized and decentralized finance together in one place. SwissBorg’s Smart Yield wallet enables investors to generate a return on their digital assets that isn’t based on whether the value of a coin is going up. The company’s systems scan a range of programs across the DeFi and CeFi space — scoring them based on risk versus reward. An automated and optimized approach means that users gain exposure to the best programs without needing to perform …
Blockchain / March 2, 2021
Platypus attack exploited incorrect ordering of code, auditor claims
The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn’t exist in the version they saw. In light of the recent @Platypusdefi incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details. Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn — Omniscia (@Omniscia_sec) February 17, 2023 According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which …
Defi / Feb. 17, 2023
MDT introduces blockchain oracle to accelerate DeFi adoption
Measurable Data Token (MDT) has announced the launch of a blockchain-based oracle service, Measurable Finance (MeFi), which has been designed to connect traditional financial data markets to the decentralized finance (DeFi) sector. In its primary showcase of utility, the project constructed a decentralized application (DApp) —accessible on both the Ethereum and testnet blockchains — which enables DeFi participants to access stock trading data from some of the world’s largest financial marketplaces, including the Nasdaq, New York Stock Exchange (NY and Hong Kong Stock Exchange (HKEX). With the introduction of these services, decentralized data sharing network Measurable aims to advance the …
Adoption / Oct. 20, 2021
Maple Finance partners with Celsius to launch wETH lending pool
Digital asset lending platform Celsius has become the first pool delegate from the centralized finance market to deploy a crypto-centric lending service on Maple Finance, utilizing the latter’s smart contract and blockchain infrastructure to facilitate a $30 million pool to institutional investors. Celsius succeeds existing pool delegates BlockTower, Orthogonal Trading, Maven 11 and Alameda Research in partnering with Maple on such an endeavor. The introduction of wrapped Ether (wETH) is set to complement the existing accessibility to trade Circle’s native stablecoin, USD Coin (USDC), enabling investors to utilize the asset across an array of trading components, including staking, lending and …
Decentralization / Feb. 24, 2022
DAOs need checks and balances to have better governance
Over the past few years, decentralized autonomous organizations (DAOs) have introduced a clear paradigm shift in blockchain governance. With their community decision-making and adherence to hardcoded rules, they have challenged the role of hierarchy and central authority that are present in modern organizations, especially as it pertains to business. Ideologically, DAOs have a lot in common with democracies: individuals holding an amount of a DAO’s specific token can allocate those tokens as votes on governance proposals. Once voting has concluded, the final outcome is executed autonomously by smart contracts. In functional democracies, however, citizens elect representatives to legislate laws and …
Decentralization / Oct. 18, 2022