What is a Flash Loan Attack?

The rise of cryptocurrencies and blockchain technology has led to the emergence of various trends and revolutionary technology. Decentralized finance (DeFi) is a prime example. Aimed at creating a permissionless, scalable, transparent, and decentralized financial ecosystem, DeFi has grown exponentially. However, like most trends, several problems linger. Flash loan attacks are one of the many.

The PancakeBunny attack — which according to reports, led to the loss of over $200 million — is one of the most high-profile flash attacks in recent times. This article will discuss flash loan attacks, the most famous cases, and how to prevent them.

What is a flash loan?

Flash loans are uncollateralized loans enforced by smart contracts. Pioneered by Aave, one of the leading DeFi platforms, they require zero credit checks, limits, and, more importantly, no collateral.

Traditionally, two loan types exist — secure and unsecured. Secured loans require collateral, credit checks, and have specific limits. Unsecured loans, on the other hand, are uncollateralized. This means anyone can borrow any sum without providing a substantial asset as indemnity. Flash loans are unsecured and are a product of the DeFi space.

According to the Aave team, flash loans are the first uncollateralized loans in the space. And have been expressly designed for users and developers to seamlessly and instantly borrow assets without collateral. Flash loans present an excellent opportunity for arbitrage trading.

Arbitrage trading allows traders to exploit asset price differences across multiple crypto exchanges. For example, if the price of a token is $10 on Exchange X and $13 on Exchange Y, a user can leverage flash loans to borrow $1,000 to purchase 100 tokens from Exchange X. Then sell them off to others on Exchange Y for $1,300.

What are flash loan attacks?

A flash loan attack explicitly exploits a DeFi platform's smart contracts in which a malicious actor borrows a considerable sum with no collateral. Then goes ahead to manipulate the price of the token or asset on an exchange before selling it off on another.

Flash loan attacks are the DeFi industry's most common and cheapest attacks. Since the trend's remarkable growth a few years back, these attacks have become a reoccurring issue. The attacks are quick. And when the malicious actor obtains the loans, they immediately initiate an "artificial sell-off", resulting in a noticeable drop in the assets' price.

In addition to an unnatural sell-off, attackers deploy varieties of gimmicks and schemes to manipulate the market in their favor. These attacks can be coordinated quickly and bypass many DeFi security protocols.

Examples of flash loan attacks

Alpha Amora Attack

Widely regarded as the most significant flash crypto loan attack of 2021, the Alpha Amora attack was executed on Iron Bank, Cream Protocol's lending platform. A record $37 million was lost to this attack.

The malicious actor repeatedly borrowed sUSD from Iron Bank through the Alpha Amora decentralized application (DApp). The attack occurred in a two-transaction model where the hacker lent the borrowed sUSD back to the Iron Bank, which allowed them to receive Yearn Synth USD as a reward. The hacker borrowed 1.8 million USD Coins from Aave, swapped them for sUSD using the Curve platform, and used the sUSD to pay back the loan on Iron Bank. This act allowed them to keep borrowing and repaying, earning them more cySUSD.

This process was repeated multiple times, allowing them to steal as many funds as possible. Overall, the hacker borrowed a total of 13K WETH (Wrapped Ethereum), 5.6 million USDT, 3.6 million USDC, and 4.2 million DAI.

The PancakeBunny Attack

The infamous PancakeBunny attack of 2021 on the BSC-based yield farming aggregator platform had a devastating effect on the project and the market. The hack caused the PancakeBunny token value to drop by over 96%, making it one of the most popular flash crypto loan attacks.

The perpetrator borrowed a considerable amount of BNB via PancakeSwap, which was used to manipulate the price of USDT/BNB and BUNNY/BNB trading pairs. The hacker stole a large amount of money through this price manipulation, causing the value of BUNNY to drop extensively. Per reports, a total of $3 million was stolen by the hacker. However, the effect of the exploitation was worth over $200 million as the token price crashed.

The Cream Finance Attack

The Cream Finance flash attack was complex, requiring the perpetrator to deploy numerous schemes and strategies. Carried out in 2021, the hacker borrowed $1.5 billion from the Yearn Protocol's vault shares. With a collateral of $2 billion, the malicious actor doubled the value by donating the borrowed funds back to the Yearn Protocol.

The ApeRocket Crypto Loan Attack

The ApeRocket flash loan attack occurred in 2021 on the ApeRocket protocol. The attack was carried out in two separate yet related processes.

First, the hacker borrowed a large sum of $CAKE and $AAVE, 99% of which were held in ApeRocket's vault. Secondly, the perpetrator sent funds to the protocol's vault, causing the project to mint more tokens to account for the extra funds received. Finally, the hacker dumped the tokens, resulting in a loss of $1.26 million and the catastrophic crash of the ApeRocket Protocol's token (SPACE) by over 63%.

Platypus Finance Attack

In 2023, Platypus Finance protocol was hit by a catastrophic flash loan attack. The hacker borrowed 44 million USDC from the Aave protocol, used the funds to stake, and then borrowed more from Platypus Finance. The actor initiated an "Emergency Withdrawal" on the protocol and withdrew the staked funds without repaying the borrowed USDC.

The hacker immediately withdrew the staked funds by triggering the emergency function. This attack, unlike most, was enabled by a vulnerability in the platform's staking function. It failed to check the hacker's status before the withdrawal was processed. Over $8.5 million was lost in this attack.

How to prevent flash loan attacks

With the number of flash loan attacks rising, it has become apparent that there is no single, working solution to this problem. Only significant steps can be taken to limit, albeit to a lesser degree, these attacks. They are:

Leveraging detection tools

One of the main reasons flash loan attacks occur is due to the slow response time of DeFi platform developers. However, it is only possible to identify a flash loan attack once it has happened. This highlights the need for detection tools.

These tools are designed to enable project developers and managers to detect smart contract exploits and other uncommon user activities. The expedited detection allows developers to act swiftly and neutralize the hacks to the highest degree. Most DeFi protocols have installed dozens of these cybersecurity tools to mitigate these malicious attacks.

Using decentralized Oracles for price

Leveraging decentralized Oracles for price data is another efficient way to prevent flash loan attacks. Oracles such as ChainLink and Band Protocol are two of the most sought-after in the market.

Previously hacked DeFi protocols like Alpha Amora launched an Oracle aggregator last year and have since been able to detect attacks before they occur.

Two block confirmations for transactions

The Dragonfly research team proposed the use of two confirmation blocks for transactions. While this does not guarantee optimal security — as hackers can launch attacks on both blocks — it serves as a risk management tool, as it helps reduce and completely dispel flash loan attacks.

Circuit breakers

Another timely way to prevent flash loan attacks is by disabling large movements of funds, making it harder for these perpetrators to manipulate the market easily.

Implementing time delays (transaction per second speed) and increasing the cost of processing a flash loan are other subtle ways to rid the industry of malicious actors and actions.

Why are flash loan attacks common?

Flash loan attacks are prevalent. And here are some reasons why.

• It is cheap to execute — they are the easiest and most affordable attacks to carry out on DeFi protocols. Hackers simply need access to a liquidity pool to borrow funds with no collateral. Anyone can conveniently attempt a flash loan attack.

• Arbitrage trading — exploiting an asset's fluctuating prices in crypto exchanges make flash loan attacks common. The existence of hundreds of exchanges makes it almost impossible to determine the actual price of a crypto asset.

• The current success rate — flash loan attacks' success rate shows how successfully they can be executed. Since 2021, hackers have made way with millions of U.S. Dollars from flash loan attacks in a short period.

Will flash loan attacks stop?

Like other malicious attacks in the crypto industry, Flash loan attacks are unlikely to stop. However, measures can be put in place to mitigate the risks.

The design and introduction of advanced detection tools could be a paradigm shift for DeFi protocols. These tools can efficiently detect unusual movements in a protocol and immediately notify the development team.

FAQs

What is a Flash Loan attack?

A Flash loan attack exploits DeFi protocol's smart contracts by borrowing large sums of funds with zero collateral. And with no plan of paying back.

Is Flash Loan attack real?

Yes, flash loan attacks are real. The PancakeBunny, Cream Finance, Alpha Amora, and Platypus Finance hacks are prime examples of flash loan attacks. The protocols incurred financial losses.

What are the steps in a Flash Loan attack?

Hackers start by borrowing funds from a specific protocol, deploying skills to manipulate the market, and finally dumping the tokens. These steps have led to crashes of multiple DeFi protocols.