In the cryptocurrency world, flash loans have attracted attention for both positive and negative reasons. As it helped many users to gain profit, in contrast, it also contributed to the security breaches of many DeFi protocols. They're even regarded by some supporters as one of the most cutting-edge blockchain technologies.
To understand Flash Loans, we first need to know about the General Loan system or Centralised Finance (CeFi) lending system.
In conventional finance, secured loans and unsecured loans are the most prevalent types of loans. A secured loan requires the borrower to give the lender collateral as a form of security for loan repayment.
When your bank approves a loan, it requires you to put up certain assets as security in case you can't make the payments. For instance, if you borrow money from a bank to buy a car, the car serves as collateral and is transferable to the bank if you don't pay back the loan.
Flash loans are not your typical loans, as you might think.
Flash loans are uncollateralized loans with no borrowing limits where a user borrows and returns funds in the same transaction.
A smart contract cancels the transaction and returns the money to the lender if the user is unable to repay the loan before the transaction is completed.
The provision of collateral is entirely disregarded in the event of a flash loan. This is so that there are no possibilities of a loan default by the borrower.
Transactions involving flash loans take three steps. The user borrows the money in the first step, uses the money in the second step, and then pays back the loan in the third.
The transaction fails and the blockchain returns to its pre-transaction state if any of the steps are missing. It appears as though there was no borrowing at all.
Lenders and borrowers are the two key parties in a quick loan.
Borrowers must create a smart contract with three components to communicate with the lender of flash loans.
Borrow loans from flash loan lenders (Aave, dYdX, Uniswap etc)
Interact with smart contracts for other operations
Return the loans
Flash loans are powered by smart contracts. Smart contracts are digital contracts that specify the conditions that must be met for something to function. For flash loans, give the borrower the instructions and carry out the immediate trades.
Since the loan is paid off in one single transaction in a matter of seconds, there is no need for collateral. Furthermore, unless the money is transferred back to the blockchain, the transaction is not considered finished.
Thus, it is impossible to default on a flash loan. Gas and service costs are the only debts to which the borrower is subject (only if the trade is successful).
The DeFi lending protocol Aave originally introduced flash loans back in January 2020. Due to the advanced technical skills needed to code a flash loan, only developers could first use them.
Arbitrage: Traders might profit by spotting price differences between a variety of exchanges.
Example: Let's say the price of a pizza coin varies between two markets. On Exchange A, it costs $1, and on Exchange B, it costs $2. To purchase 100 pizza coins for $100 at Exchange A and sell them for $200 at Exchange B, a user can use a flash loan and another smart contract. After that, the borrower pays back the loan and keeps the extra money.
Collateral swaps: The quick exchange of one sort of collateral for another in support of a borrower's loan.
Lower transaction fees: Flash loans combine transactions that would often need multiple transactions. Flash loans may result in cheaper fees because each transaction has a fee.
DeFi flash loans are far from ideal, despite their increasing popularity and liquidity. It’s still in the development phase and could be exploited by scammers.
The borrower must take immediate action after receiving cryptocurrency. Now, information from these international transactions is collected into a block and put into the blockchain without any kind of reversal mechanism.
A block's creation takes a different amount of time on different blockchains. The blockchains for Bitcoin and Ethereum, respectively, take 5 and 13 seconds to complete.
Hackers take use of smart contracts, a characteristic that makes Ethereum and flash loans so special. Hackers manipulate the system to produce arbitrage opportunities so they can profit from a flash loan. By "flooding" the blockchain with buy-and-sell order smart contracts, price disparities are created.
Smart contracts can access data from sources outside of their ecosystem thanks to oracles, which are independent services. Most frequently, this information is the price of an asset in real-time.
The act of altering these oracles' asset price data to buy or sell above or below the platform's fair market value is known as "oracle manipulation."
According to blockchain auditing and security firm CertiK, 27 flash loan attacks totalling $308 million were launched in the second quarter of 2022, up from just 14 million in the first. DeFi protocols saw 23 flash loan assaults and $17.3 million in losses in the third quarter.
The Attack is Carried Out Using The Following Steps :
Take out a huge token A loan from a flash lending company.
Trade token A for token B using a DEX (this lowers the price of token A and increases the price of token B on the DEX)
Use the acquired token B as collateral on a DeFi protocol that only receives price information from the DEX (described above), and take advantage of the rigged pricing to borrow more token A.
Profit from the protocol's manipulated price feed by paying back the first flash loan in full using some of the borrowed token A and keeping the rest of the tokens.
Tokens A and B's values on the DEX will be arbitraged back to their actual market value. However, the DeFi protocol is still left with a position that is undercollateralized (debt worth more than collateral), which directly hurts other users like the liquidity pool providers.
Beanstalk: The hacker used the money to buy large amounts of STALK, Beanstalk's governance token. He exercised considerable voting influence to approve governance proposals that transferred all of the protocol funds to a personal wallet.
The entire cost to the network is estimated to be $182 million, but the hacker got away with $80 million.
PancakeBunny, May 2021: A vulnerability in PancakeBunny, a DeFi project powered by the Binance Smart Chain, resulted in a loss of more than $200 million. The cost of a token surged from $140 to $240 before plummeting to zero.
The Alpha Homora Protocol, February 2021: $37 million were stolen from the Alpha Homora Protocol by a hacker who obtained 1.8 million USDC (USD Coin) from Aave and used Curve to carry out several exchanges. (The Alpha Protocol intentionally compelled hackers to use several transactions.)
Flash loan vulnerabilities make protocols like a single DEX that use centralized on-chain pricing oracles susceptible to attacks because an asset's data is very constrained when only one on-chain exchange is utilized as a price feed since it only represents that exchange's market conditions.
While an attacker might execute a single flash loan transaction on an oracle like Chainlink, which is powered by a decentralised network of oracles, it wouldn't have any impact on the price feed because the exchange collects pricing information from several sources.
Due to their ability to instantaneously lend customers a limitless amount of assets without requiring security, flash loans have revolutionised the field of decentralised finance.
Nevertheless, they are a double-edged sword and, depending on their intended purpose, may have negative effects on the crypto environment.
Flash loans have the potential to be a useful - and net positive - instrument for both skilled and everyday users as decentralised finance improves and protocols become exploit-resistant.