How did the flash loans, which were originally a DeFi innovation, become an arbitrage tool for hackers?

How did the flash loans, which were originally a DeFi innovation, become an arbitrage tool for hackers?

---

On May 28th, Beijing time, BurgerSwap, the AMM protocol (automated market maker) on the BSC chain, confirmed that it was hacked by flash loans and lost over $7 million. On the 30th, Belt Finance, a multi-strategy revenue optimization AMM protocol on the BSC chain, also announced that it suffered 8 attacks in total from the flash loans, with a loss exceeding $6.2 million from 4 pools. Since May 2020, a total of 13 projects have been attacked, with total losses surpassing $260 million.

A total of 60 DeFi attacks happened in 2020, resulting in a total loss of more than $250 million, according to statistics released by PeckShield in January 2021. The frequent attacks from flash loans that happened at the time when DeFi protocols were increasingly popular had forced traders to re-evaluate the security of DeFi.


The origin of flash loans

---

The booming of the cryptocurrency market has created services akin to those in traditional financial lending. Similar to traditional loans, these services require borrowers to put in collateral, i.e. cryptocurrency, in order to apply for a loan. After the loan expires, the borrower repays the borrowed coins and the agreed interest. The interest will be distributed to each lender.

However, traditional financial institutions are generally faced with two major risks when lending: default risk and liquidity risk. The former often refers to the absconding of the lender or the inability to repay the loan, while the latter refers to the fact that an institution has made too many loans and the borrower fails to repay the loan in time, resulting in the inability of the institution to continue its own business. These two major risks also exist in crypto lending.

The flash loans were therefore first proposed by the Marble protocol in 2018 to reduce these two risks, and then gradually gained popularity with the rise of the Aave and dYdX trading platforms. In 2020, Flash loans gradually became known to the blockchain. The concept of flash loans proposed by Marble, which claims to be a "smart contract bank", was a very simple but very smart DeFi innovation at that time. It refers to zero-risk loans through smart contracts. Since almost all DeFi projects are currently carried out on the Ethereum blockchain, the objects of flash loans are also mainly projects based on Ethereum.


How flash loans work

---

Flash loans allow traders to borrow any available asset amount from a specific smart contract pool without putting in collateral and return the loan with interest within the same transaction.

Borrow, use and repay in the same transaction? It is impossible to happen in the traditional financial market, but it is indeed possible in the cryptocurrency market. In the flash loan process, a transaction refers to a set of operations performed in an "atomic fashion", i.e. either all steps are performed, or the transaction is rolled back, with no steps performed. All steps are indivisible and will be recorded in a transaction (block).

The current block speed of Ethereum is 13.52 seconds. That is to say, borrowing, using, and repaying in the current flash loan process needs to be completed within 13.52 seconds. If the borrower is found to be unable to complete the repayment within the time limit, the transaction will be reinstated.


Applications of flash loans

---

When proposing the concept of flash loans, the Marble protocol publicly pointed out that users can borrow money from Marble to buy coins in a decentralized exchange, and then sell coins at a higher price in another decentralized exchange, and repay the loan. Users will earn the difference. Therefore, one of the main applications of flash loans is arbitrage trading.

If we discover that there is a price difference between the DAI/USDT pools on Uniswap and Sushiswap: one can use 1DAI to exchange for 1.5USDT on Uniswap and 0.5DAI to buy 1.5USDT on Sushiswap, and then one can conduct the arbitrage via the following operations:

1. Borrow 100 DAI from Aave through the flash loans;

2. Exchange 100 DAI for 300USDT on Sushiswap;

3. Exchange 300USDT for 200DAI on Uniswap;

4. Repay the 100DAI loaned on Aave and the related transaction fees;

5. The remaining balance is 100 DAI, which is the income.

Actually, it also involves network costs, price slippage, first-come-first-served condition, etc., so the process is not as simple as it seems.

Moreover, flash loans can also be utilized as a collateral replacement and in the self-liquidation process, and the operations are similar to the arbitrage process.


Flash loans reduced to hacking tactics

---

In each attack incident, the attacker first obtained a large number of funds through flash loans, and then manipulated and distorted the price of related assets through a series of mortgages, loans, transactions, etc., and finally got the asset for nothing.

In February 2020, bZx suffered the first flash loan attack. The attacker made a profit of 1,193 ETH (at the time totaling $340,000) at zero cost by calling multiple DeFi protocols. According to the records of the relevant blockchain, the specific process is as follows:

1. Lend 10,000 ETH from dYdX through the flash loan with zero collateral;

2. Pledge 5,500 of them in Compound to borrow 112WBTC;

3. Send 1300 ETH to fulcrum via bZx and open a 5x leveraged short position on the ETH/BTC trading pair;

4. Sold 5,637 ETH worth $1.5 million to Uniswap's WBTC pool through Kyber Reserve, and bought 51.34 BTC worth $510,000;

5. Sell 112 WBTC of 112 BTC loaned out of Compound in the corresponding pool of Uniswap, and get 6800 ETH;

6. Finally, return 3200ETH and 6800ETH to dYdx.

Just 3 days after the first attack, bZx suffered a second flash loan attack. It is estimated that the attacker made a profit of 2,388 ETH, or about $644,000.


Why was DeFi frequently attacked by flash loans?

---

Presently, DEX (Decentralized Exchanges) such as Uniswap, etc., mainly get and report prices, exchange rates, and other functions through automated market makers and price oracles. However, unlike CEX (centralized exchange), the data of DEX is more independent, and the price of the asset pool can easily fluctuate due to drastic changes in transaction volume and liquidity, resulting in a price difference between the asset pools of the same trading pair between different DEXs, thus leaving room for arbitrage.

Hence, as long as the attacker can borrow a large number of funds through flash loans, manipulate the exchange rate on the trading platform via smart contracts, and finally conduct arbitrage through the exchange rate difference between different platforms to achieve a "zero cost" risk-free attack.


Stole it and returned it? Fun Facts About Flash Loan Attackers

---

Interestingly, some flash loan attackers repaid some or even all of their ill-gotten gains after the attack.

In 2020, the Value DeFi protocol publicly stated on Twitter that they were currently the DeFi platform with the best mechanism to resist flash loan attacks. In November of the same year, Value DeFi suffered a flash loan attack by hackers, resulting in a loss of more than $7 million.
But apparently, the attack was not the hacker's main purpose, because, in the end, the hacker returned 2 million DAI and left a sarcastic message: "Do you really know flash loans?"


Are flash loans good or bad?

---

Flash loans are indeed an innovative financial tool. Normally, it can satisfy the needs of participants in different roles in the digital currency market and promote the flow of funds and value circulation. But everything has two sides. At present, flash loans are known to be frequently utilized by hackers for attacking arbitrage, and they are, therefore, criticized by many traders.

Flash loan attacks have taken their toll on the DeFi ecosystem, but such attacks are not a reason to stop flash loan services. After all, it is used by different people with different situations. Moreover, the frequent occurrence of flash loan attacks can sound the alarm bell for the currently booming DeFi ecosystem and urge it to face up to its shortcomings. Only by doing so can the ecosystem make continuous improvements and create a better one.



Author: Gate.io Researcher: Gazer C.; Translator: Cedar W.
* This article represents only the views of the researcher and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.