Flash Loan Attacks in DeFi: Tips to Protect Yourself

Written By Malik Ali

A Flash Loan Attack is the removal of uncollateralized loans from lender protocols. It happens to control the marketplace as per one’s advantage, along with using other gimmicks.

It is a type of DeFi attack done by Cyber Thieves. It happens in a matter of seconds and assaults four DeFi protocols. 
Flash Loan Attacks are inexpensive and easy to execute. That’s why they are listed as the most prominent DeFi attacks. Since 2020, the Flash loan attacks have been getting worse. They have led to a loss of several hundred million dollars after the rise of DeFi. 

Let’s understand this phenomenon in detail.

How Do Flash Loan Attacks Work?

The flash loan attacks rely on temporary liquidity through flash loans. They are mainly to:

  • Manipulate the price of cryptocurrency

  • Exploit the vulnerabilities in DeFi smart contracts

  • Steal funds from the protocol

The attacker follows a three-step procedure to execute a flash loan attack. Those three steps are;

  • The attackers obtain large amounts of cryptocurrencies from a DeFi site through flash loans. 

  • The attacker takes advantage of a flaw in the DeFi smart contract with the borrowed money. Thats is how they control the value of the target cryptocurrency. 

  • The attacker returns the borrowed money to the lending platform after repaying the flash loan. It is typically inside the same transaction block.

Repaying the loan inside the same transaction block is essential to the success of a flash loan assault. The attacker can benefit from short-term cash without having to offer any collateral. It makes it challenging for lending platforms to defend against these attacks.

Read more: Tips to Avoid Phishing Scams!

Why Are Flash Loan Attacks Common in DeFi?

Criminals view flash loans as risky because they are low-risk, low-cost, and high-reward operations. 

These are the main causes of the rise in flash loan attacks.

Flash Loan Attacks Are Cheap

Flash loans just demand three things to operate:

  • A computer

  • An internet connection

  • Creativity

This contrasts with 51% of attacks, which take resources to execute. It appears that hackers must prepare their assault strategy in advance. Even though carrying it out just requires a few minutes or seconds.

Flash Loans Attacks Are Low-Risk

There is risk involved in any illegal operation. However, just think of robbing a bank without having to enter the building. It is a very rough summary of the attackers of flash loans. 

The ease with which one may get away with stealing from DeFi protocols has been demonstrated over the past 18 months.

Flash Loan Attack Examples

1. Euler Finance

It was one of the largest and most recent hacks simultaneously. The hacker took advantage of a mistake in the platform's rate computation.

The two primary token types used by users of the Euler Finance platform for lending and borrowing are:

  • dTokens, which represent debt

  • eTokens, which represent collateral

A hacker took advantage of a weakness in the eToken feature of the platform. It resulted in the improper changing of borrowed assets into collateralized assets. 

A leading bot and the hacker's wallet were the main on-chain entities they worked with. An authorized mixer named Tornado Cash gave them the first funding they needed to pay for gas and draft the relevant contracts.

The hacker used the DeFi protocol Aave to get a flash loan worth roughly $30 million in DAI. They received an equivalent amount in eDAI tokens after depositing $20 million of the DAI onto Euler's platform. 

The hacker got ten times the initial money deposited using the platform’s borrowing feature. They borrowed money until the flash loan was closed. And paid back some of the purchased debt with the $10 million in DAI left over.

Euler lost about $197 million worth of cryptocurrencies in DAI, wBTC, stETH, and USDC due to the hack. The native token of Euler, EUL, likewise saw a drop of around 45%.

2. Cream Finance

A hack on 27th October 20221 resulted in Cream Finance losing $130 million. Many payments and withdrawals were made. It wasn't just a flash loan attack.

The hacker used $2 billion in collateral to borrow $1.5 billion in USD vault shares from the Yearn protocol. After giving the same amount of USD to Yearn Vault, he increased the value of the shares. It made the debt on Cream $3 billion against $2 billion in collateral. 

The hacker's profit is $1 billion. Since Cream only had assets valued at $130 million, that became the hacker's entire gain.

3. PancakeBunny Attack

A hacker deployed a flash loan attack to draw a "huge amount" of BNB tokens from PancakeSwap. He manipulated the price of USDT/BNB and BUNNY/BNB vaults. He then bought a great deal of BUNNY, only to clear his flash loan by selling all of them on the open market.

On Twitter, PancakeBunny stated:

The attacker obtained a sizable quantity of fictitiously inflated BUNNY tokens. He then reinjected them into the marketplace. As a result, BUNNY's price crashed by 95%, from $146 to $6.17 per token.

4. Alpha Homora Protocol Hack

A multi-transaction attack was used to breach Alpha Finance's vaults. It was a clever Defi ruse that was used to take $37.5 million.

The attacker borrowed USD 1,000e18 from HomoraBankv2 using UNI-WETH LP as collateral. 

The attackers' contract tricked the Homora code into believing that their malicious contract was their own. It allowed them to manipulate internal debt numbers in their system. 

The Alpha Homora governance token ALPHA's price dropped from $2.25 to $1.78 as an outcome of the attack.

5. ApeRocket Flash

The ApeRocket, a DeFi yield farming aggregator, saw a rough 63% price collapse after two flash loan attacks it suffered. It led to a loss of $1.26 million. 

How to Reduce Flash Loan Attacks?

The crypto world needs strict guidelines. Here are some of the suggestions:

  • Implement more rigorous criteria for flash loans

  • Increase the visibility of platform operations

  • Improve governance mechanisms

  • Set a maximum limit on the amount that can be borrowed in a single flash loan.

  • Implement robust security measures in smart contract code

  • Conduct security audits every two days

  • Identify and address vulnerabilities before they can be exploited

  • Implement mechanisms to reduce the speed of transactions, allowing more time for security checks

  • Set restrictions on transaction rates to prevent rapid, large-scale manipulations

  • Leverage built-in security functions of smart contract platforms

Final Note!

Users need to understand the risks that come with the DeFi ecosystem. Everyone should always take precautions to stay safe from flash loan assaults. Also, it is immoral to take advantage of the ever-evolving DeFi ecosystem weaknesses to gain benefits. One should always act morally and responsibly. 

To get more information, contact the Crypto Accountants!

Malik Ali
Previous

A Complete Guide on Crypto Reconciliations! 
Next

Cryptocurrency Staking and Tax Implications!