Flash loans have recently gained a lot of traction for the new opportunities they open to investors but more so, for enabling malicious attackers to exploit the vulnerabilities in various decentralized finance (DeFi) protocols. Since these loans require no collateral, they allow investors to take advantage of arbitrage opportunities but also remove any financial deterrent for plotting a malicious attack.
Flash loans were initially introduced by the Marble protocol in 2018 but were popularized by Aave and dYdX at the beginning of 2020. These services provide a smart contract pool from which users can anonymously borrow money without any collateral. The contracts are based on the Ethereum blockchain and require borrowers to repay the loan in the same transaction. If the loan is not repaid, the transaction would be reversed and the lenders would get their money back.
This effectively eliminates the fundamental risks that arise out of traditional lending arrangements in the form of default risk and illiquidity risk. Since there is no risk or lost opportunity cost to the lender, the borrower is only required to pay marginal compensation. Apart from this, the borrower also has to pay the gas, which is the fee a user must pay to transact on the Ethereum blockchain.
The growing popularity of flash loans has been on the rise during 2020. The growth of the cumulative volume of flash loans lent on Aave, one of the main platform giving access to this kind of product, has been significative from October 2020 to January 2021. Just in these three months, the cumulative volume increased from $574.02 million on 4th October to $1.58 billion on 4th January. The most lent cryptocurrencies on Aave were DAI and USDC, with 63% of the total volume lent as on 4th January belonging to DAI and 23% belonging to USDC.
Since its emergence, flash loans have mainly been used for arbitrage, wherein, a user identifies a discrepancy in the quoted price of a cryptocurrency on two different exchanges and takes advantage of this by getting a flash loan and transacting in both exchanges to achieve the desired arbitrage. He then closes the transaction by returning the borrowed amount along with any interest and gas. Flash loans are also popularly used for collateral swaps and self-liquidation.
Apart from these use cases, flash loans have also been notoriously used for wash trading and other forms of market manipulation. The most common exploit used by attackers relies on manipulating centralized price oracles which is a single reference point transmitting pricing data to a DeFi protocol. Such protocols are relatively more vulnerable to manipulation than projects that rely on multiple nodes to transfer pricing data (decentralized price oracles).
Here an example of an attack conducted through flash loan mechanism. The attacker takes a flash loan in ETH and swaps it with sUSD on a decentralized exchange (DEX). This depresses ETH’s value and increases sUSD’s value on the DEX. Then, the attacker deposits sUSD as collateral and takes a loan in ETH in a DeFi protocol that uses the above DEX as its centralized price oracle. He then returns the flash loan and keeps the remaining ETH. The attacker thereby borrowed more than he could’ve borrowed with lesser collateral by manipulating the prices of the two currencies.
In theory, such attacks can be carried out even without the use of flash loans as they target vulnerabilities that already exist in the DeFi system. But such an attack requires a large capital and runs the risk of tainting the attacker’s cryptocurrency. A flash loan solves both these problems and allows anyone to exploit such vulnerabilities.
In essence, flash loans are a wonderful innovation in the world of DeFi which gives users the ability to take advantage of profitable opportunities that were earlier closed to them due to lack of liquidity. On the other hand, it also opens the door to a scary reality where potentially anyone can mobilize millions of dollars worth of cryptocurrency to manipulate the market and walk away with a hefty gain.
Need visibility on your ERC20 transactions? Check out Blockchain Intelligence Group’s insights here: https://blockchaingroup.io/start-with-big/?latest