A flash loan or flash loan is nothing more than a scheduled loan on a DeFi-protocol, capable of offering a provision of funds to users without them needing to provide a guarantee (neither in cryptocurrencies nor of any kind) for the funds that are lent to them. The Defi protocol provides the user with access to some funds so that they can use them and return them to the protocol in the same operation, including the corresponding commissions.
In blockchain this is possible because there is the possibility of programming a transaction so that it borrows funds, mobilizes them for different smart contracts of other protocols, the relevant exchange operations are carried out, and, at the end of that same transaction, the loan money and its commissions are reintegrated into the initial protocol while the user withdraws with his earnings.
The crucial thing to note is that everything is done in a single operation, instantly, and all of it is registered in the same block of the blockchain where it is registered.
This idea arose thanks to the project AAVE, which designed this function in order to allow its users to access the liquidity of the protocol to carry out quick operations. In this way, the use of these fast operations is encouraged, which basically allowed them to do two things:
- Maintain liquidity in your protocol for regular operations of your protocol (loans and exchanges).
- Allow a new model of fast loans, which does not affect the real liquidity of its DeFi protocol.
How Does A Flash Loan Work?
Now, How is it possible for AAVE to reach both points with flash loans? Well, the first case is easy to understand.
Think that every time a liquidity provider enters tokens into the AAVE protocol, that pool where it participates increases its liquidity (for example, adding ETH/USDT to AAVE). When the LP performs that operation, we can quickly see a transaction that adds both tokens to the AAVE pool earmarked for that pair of tokens. Those tokens are now in the power of the AAVE smart contract and are managed autonomously by the pool. Thus, the first point is fulfilled, and that is something that we are clear about.
However, for the second point, the developers apply a little cheat. In the blockchain, there is a special point during the entire process of creating and confirming the transaction that is carried out, we talk about the confirmation time within the network. At that moment, the transaction is in an “inconsistent” state in which the operation appears to have been carried out (it has been created and has been issued to the network) and, at the same time, it is not confirmed (there has been no consensus about the transaction). whether the transaction is correct or not and, therefore, has not yet been included in any block). That is, the nodes of the network see the transaction, they can even report the account balance within the origin and destination wallets, even if there is no confirmation.
The latter is not uncommon, if you have ever carried out an operation with BTC, surely they will have made a transaction and you will see the balance reflected in your wallet, but some wallets do not let you have that money until it is confirmed by the network. It is money that “is” and, at the same time, “is not”, you just have to wait for it to be confirmed, and this event occurs in all blockchain networks. It is precisely this state where the “trap” begins that makes the execution of flash loans possible.
How Does A Flash Loan Attack Work?
Now, Defi protocols are not infallible, since complex smart contracts are involved in all of this and may contain flaws. Although blockchain technology is very secure, bugs are no exception since, ultimately, they are pieces of software and as such have imperfections that can be more or less obvious. Attackers take advantage of this point to carry out a Flash Loan Attack on these protocols.
Generally, Flash Loan Attacks are used to exploit vulnerabilities detected in the protocols in order to take advantage of the loan capital, in order to subtract large amounts of money from the attacked protocol.
For example, an attacker can go to AAVE to request a flash loan and use it to attack a protocol such as Balancer. This is possible because our attacker has detected a vulnerability in the system that calculates Balancer pool rewards, and with that knowledge, the hacker can use that weakness to make huge profits. Thus, the hacker asks for the flash loan, performs the operations to exploit the flaw in Balancer, refunds the payment to AAVE and withdraws with the profits that he surreptitiously stole from Balancer. Result? Our hacker takes the profit from him, AAVE gets his money and commission back, but Balancer and their LPs take a hit to their cash flow.
However, Flash Loans Attacks can present several attack vectors, since these depend on the programming of the protocol attacked. This is something that requires tremendous technical knowledge on the part of the attacker, not just programming knowledge. smart contracts, but also knowledge of the blockchain platform on which those smart contracts run. Due to this, Flash Loans Attacks are quite complex to carry out, but the same goes for avoiding them, so the developers are constantly auditing and improving contracts to avoid these problems.
KNOWN BIG FLASH LOANS ATTACKS
Some of the biggest known attacks are as follows:
the attack was carried out in August 2021 and the attacker managed to steal the amount of 611 million dollars from the pool. The vector used was a flash loan attack that took advantage of a flaw in the Ethereum-BSC-Polygon cross-chain proxy and through which the aforementioned amount was subtracted.
October 2021, an attacker performed a flash loan attack to exploit a vulnerability in a function that controlled the token pricing system assigned to the platform’s flash loan subsystem. Result? The loss of 140 million dollars.
In May 2021, a bug in the BUNNY token price calculations was exploited and as a result, the attacker managed to make $45 million.
The attack was carried out in February 2021. To do this, the attacker requested a flash loan in AAVE and, knowing of a vulnerability in the pool rounding system and a development pool (sUSD), used both flaws to manipulate prices within Alpha Finance and seize $37,5 million.
In any case, these are just some of the biggest and most well-known attacks. In the Defi world, there are many and a recommended space to keep abreast of them is Rekt. Always remember that Defi is a world of opportunities, but there are risks, keep them in mind, and learn and plan your strategies to protect yourself from them