The Defi Flash Loan Hack Must Be Stamped Out
In recent weeks, we have seen a spate of news reports on flash loan attacks on a number of decentralized finance (DeFi) protocols, with a staggering $24 million stolen from Harvest on October 26, $5.4 million from Value DeFi on November 6, $2 million from Akropolis on November 12, and $7 million from Origin on November 17. These attacks have meant a significant loss for thousands of users and sent the value of native tokens tumbling. More importantly, they have thrown into question the safety and staying power of DeFi as a home for the new world of digital banking and investing.
Flash loan products have, in short, become a stain on the DeFi community that underlines a vulnerable complexity that is the hallmark of greedy Wall Street, but that the DeFi protocol was meant to stamp out in favor of open, transparent and fully accessible finance. This is a shame — not least because flash loans are conceptually brilliant. A unique feature of decentralized finance, they allow users to borrow millions of dollars at no risk to the lender, for little to no interest. This is because the borrowing and repayment of the loan are both done in one single transaction on the blockchain.
What is a flash loan?
This process is known as an ‘atomic’ action in computer science, and means something happens all at once or it doesn’t happen at all. The atomic nature of flash loans makes them zero risk to lenders because if the loan doesn’t get paid back in the same transaction, it doesn’t get loaned. It also means that the loans should effectively be 0% interest as they were borrowed and repaid at the same time (although lending platform Aave, one of the leading DeFi lending platforms, charges 0.09% for its flash loans).
Flash loans have a few applications but are chiefly used for arbitrage opportunities, where a user spots a price differential between two assets that can be exploited and profited from, through a transaction or number of transactions.
For example, say Curve’s DAI/USDC liquidity pool is pricing at 1:1, but Uniswap’s pool is pricing the pair at 0.99:1. A user could profit from this by:
A legitimate tool, or hacker’s dream?
Originally envisioned as a tool for DeFi developers, the profitability of flash loan products for an arbitrage trade has broadened their appeal, leading to these flash loan attacks. As you can surmise from the above, these trades can make millions by taking advantage of pricing slips created by trading volume on different platforms — pricing slips that can in-fact be generated and exacerbated by the flash loan attack itself. Described by Chainlink’s Adelyn Zhou like wedging a “foot in the door” of a DEX like Uniswap, a sequence initiated by a flash loan can create massive swings in pricing that will allow an attacker to drain liquidity pools, and user’s money.
What you might have also noticed is that, despite these events often being described as ‘hacks’ they’re really not. ‘Flash loan attack’ is a more accurate term for these crypto transactions, and ‘flash loan exploit’ even more so. The real problem, as Aave’s founders are often keen to point out, is not with flash loans, but with the weaknesses in the smart contracts underlying a decentralized exchange protocol like Uniswap, Value DeFi and Harvest et al., that allow canny attackers to exploit them. And at the heart of this weakness are the data streams that control pricing in the contracts, known as ‘oracles’.
Closing the loopholes and opening-up DeFi
Projects like blockchain firm Chainlink are working on tackling oracle manipulation, which will help to improve the data stream that every smart contract relies on. However, as Aave’s Stani Kulechov noted in the news this week, as it stands, “Building resilient DeFi is becoming difficult.” While blazing a trail in the new digital financial world, DEXs are extremely high risk to users, many of whom have to rely on the kindness of attackers to recoup losses, as was seen with the generous return of $95,000 to some victims of the Value attack after they sent pleading notes through the Ethereum blockchain. This is, to say the very least, not ideal.
DeFi needs to do better, much better than this. Work is being done to find a way to compensate retail investors for the collective loss of assets they make in these attacks, with Value DeFi reportedly establishing a compensation fund for those affected, while recent news reports suggest there is talk at Harvest of an ‘IOU’ reserve pool that will extract value from its DeFi protocol to reimburse traders. What we really need, though, is a safe, secure ecosystem for users that neither have to conduct complex maneuvers to participate in a DeFi protocol, nor potentially be victims of them.