Understanding Flash Loan Attacks, and How They Happen
Earlier this year, DeFi protocol Aave released a new feature called “flash loans” that have taken arbitrage opportunities to the next level. Many in the community were unaware of the power that flash loans have to manipulate markets and were shocked to find out that several “hacks” have occurred, with the perpetrators getting away with millions of dollars worth of cryptocurrency. Just recently, four flash loan attacks have occurred on various protocols, with attackers taking $25M, $7M, $3.3M, and $2M from Harvest, Value DeFi, CheeseBank, and Akropolis, respectively. So what are flash loans, how were they used to carry out these “attacks” and were these even “attacks” at all? While those who lost money certainly have cause to be upset, in most cases these protocols were working the way they were designed — begging the question, “Were these even hacks at all?” An alternative explanation could be that these “thieves” are blockchain coding experts who used the resources available to them to conduct a fantastic arbitrage trade.
This is a perfect opportunity to remind everyone that DeFi protocols are still experimental, and the safety of your funds in them is not guaranteed. Never invest more than you are willing to lose.
Flash Loans — What Are They?
Most loans in the cryptocurrency world are what we call collateralized loans, meaning that you have to lock your funds in a platform or protocol to access your loan. But what if I told you that with flash loans, you can borrow a massive amount of funds — millions of dollars — with zero collateral? You’d probably slap me and tell me that sounds too good to be true! Well, I hope you’ll be gentle because that is exactly what flash loans allow you to do.
There’s just one catch.
You have to pay the loan back in about 15–20 seconds. You read that correctly.
You see, one is only able to take out a collateral-less flash loan if they pay back the borrowed amount within the same block that they borrowed. The inherent protection in this is that if the borrower fails to pay back the borrowed funds, the borrowing transaction simply invalidates and it’s as if they never borrowed in the first place! This is made possible by the way blockchains function.
Every time a new block is added to the chain, the transactions that took place during the time between blocks are recorded in that block and are hard-coded into the block’s hash. Once that block is confirmed in the subsequent block, it is immutable. However, if a user were to attempt a transaction, theoretically it could fail and be reversed before it is confirmed. That is the exact logic that flash loans implement to avoid the theft of funds. This type of loan can only exist with blockchains, and would not work on centralized platforms. In this sense, flash loans are “atomic” loans. If you fail to pay back, it never happened in the first place.
Flash loans are used to leverage arbitrage opportunities. Let’s take USDT and USDC for example. Both are stablecoins which should always be worth about $1. However, market fluctuations mean that these coins range between $.99 and $1.01. If there is a price discrepancy for these coins between exchanges, a trader could arbitrage these for a small gain across a pair of exchanges. At most, this would only yield about a 1% return (in the case for stablecoins) but is likely far less. It would take a serious amount of principal for a return of this size to be worth the gas fees. This is where flash loans come in. Suppose a savvy trader borrows $1M in a flash loan and uses it to arbitrage stablecoins, paying back the flash loan within one block, and netting a 0.1% return. 0.1% on a $1M loan is a $1000 return — not too shabby! Minus gas fees and you are still in great profit. Even better, if the trade somehow becomes unprofitable — the transaction fails because the borrowed flash loan funds cannot be paid back. That leaves the only risk to be wasted fees!
While flash loans are only made possible by blockchain tech, in a sense they go against a fundamental principle of cryptocurrency. Satoshi himself wrote in the Bitcoin whitepaper that a 51% attack would not happen because the attacker would find it more profitable to play by the rules than “undermine the system and validity of his own wealth.” With flash loans, “attackers” are not undermining the validity of their wealth — but rather the borrowed wealth of others. Theoretically, an “attacker” with almost no assets can borrow tens of millions of ETH and use it maliciously. This is the dilemma with flash loans, and is what led to the loss of funds through these DeFi “hacks”.
Hacks or Mastermind Arbitrage?
It didn’t take long for flash loans to wreak havoc on the budding DeFi sector. Friday, Feb 14th, 2020 a flash loan “attack” was perpetrated against bZx — DeFi’s 8th largest project at the time. The “attack” drained $350k from the platform and was followed by a second attack on Feb 18th that drained an additional $633k. Nearly $1M in total assets drained from a DeFi platform where users thought their funds were safe. Unforgivable.
But though bZx was the first, it was certainly not the last! As we said in the opening paragraph, much larger portions of funds were taken from Harvest, Value, CheeseBank, and Akropolis — to the tune of $37M. These attacks were all conducted by manipulating price feeds — namely, oracles.
In the case of bZx, the Fulcrum protocol used the Kyber network’s live price to determine prices for lending and borrowing. The “attacker” borrowed $10M in ETH and used it to manipulate market prices on Kyber, which they then exploited on Fulcrum. Lenders on Fulcrum got the short end of the stick. In the case of Harvest finance, the “hacker” manipulated prices on the Curve y-pool to drain money from Harvest’s farm USDT (fUSDT) and farm USDC (fUSDC) on multiple occasions before exiting to Bitcoin. In a post-mortem published on the Harvest Finance blog, Harvest took responsibility and attributed the error to price feed manipulation and exploiting impermanent loss, saying, “[The attacker] used the manipulated asset value to deposit funds into Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit.”
Once again, millions in funds were lost due to manipulated price feeds. These protocols are not alone. CheeseBank also lost roughly $3.3M in assets due to manipulating its AMM-based price oracle. These types of “attacks” are becoming all too common in DeFi.
A Need For Adaptation
This most recent spate of “attacks” has underscored that price feeds based on real-time market values are a critical vulnerability for DeFi protocols. No matter how robust an oracle is, it seems that with a large enough sum of funds — it can be compromised and manipulated to execute trades at the wrong price.
But what if these weren’t “attacks” at all?
There is a reason I have been putting “attacks” in quotes. It’s because, in all actuality, these protocols were working exactly as they were designed. These “attacks” were not “hacks” in that they somehow broke through security to steal funds. Keep in mind that all of the protocols in question had their code audited at least once, giving users a false sense of security.
Additionally, these “attacks” are not purely the fault of flash loans! Even if flash loans never exited, these attacks could theoretically take place if a whale decided to manipulate market prices. Flash loans only serve to “level the playing field” so that anyone can become a whale — at least for 15 seconds.
The only way to prevent price feed attacks is to remove price feeds from the system.
UMA’s Unique Approach
With enough working capital, any on-chain price feed can be corrupted. The solution: take these price feeds entirely off-chain! UMA’s DVM (Data Verification Mechanism) protocol is designed to do exactly that. By creating a “priceless” system that is only referenced for liquidation disputes and synthetic token settlements, UMA removes the price feed vulnerability “attack vector” from the equation. UMA is immune from the brand of “flash attacks” that have plagued DeFi protocols lately, due to the slow nature of its oracle price feed system. Remember that flash loans only work for 15 seconds. UMA price settlements are usually hours-long processes, thereby ruling out flash loan attacks on time alone.
The DVM functions as a decentralized, permissionless oracle system, and is secured by economic incentives. The DVM itself is comprised of its community of token holders. When a price feed request is made, token holders must manually calculate a price and vote on their answer. Correct votes are incentivized with a voting reward. If an incorrect price were to be used to manipulate liquidations, for example, a dispute would resolve this in the correct direction. Quite literally, it would not be economical for a DVM participant to vote maliciously.
In this regard, priceless systems are much more secure than their counterparts. Priceless feeds such as the UMA DVM cannot be manipulated, and are the future primitives for better money legos.
For more information on UMA, check out their website at https://umaproject.org/