Flash loan attacks have definitely made it to the buzz these days, the Harvest Finance fiasco recently hit the news because of it, bZx’s trading protocol was exploited through the same, and whatnot. In this article, we’re going to break-down Flash Loan Attacks for you that have shaken the DeFi world like a leaf quite often in the past few years.
What are Flash Loans?
Table of Contents
Flash loan is the ability to leverage uncollateralized DeFi capital in order to earn a profit. They enable users to borrow funds instantly from a liquidity pool.
In 2018, the concept of a flash loan was first coined by Marble Protocol. They advertised it as a ?smart contract bank,? and its product was a simple yet ingenious DeFi novelty: zero-risk loans via a smart contract.
But How Can a Loan Not Have Any Collateral?
The catch? A flash loan must be repaid in the same transaction.
And what’s the point of such a loan? In the case of a flash loan, you can think of your transaction as being made up of three parts: receive the loan, do something with the loan that earns you some profit, repay the loan. And all that happens in a flash!
In simpler words, flash loans are atomic. If you, by chance, fail to pay back the loan, the whole thing gets reversed as though the loan never even happened. Something like this could only exist on blockchains as smart contract platforms guarantee that transactions are processed one at a time.
How Can Flash Loans Be Exploited?
DeFi is a highly experimental field, when there is so much money at stake, even the smallest vulnerabilities are discovered and exploited in no time. In 2020, two high-profile flash loan attacks saw attackers make off with almost $1,000,000 in value at the time.
Let’s look at how flash loans are implemented:
The person performing a flash loan can use their assets to drop the price across markets in order to trigger DeFi apps with oracles to sell at the desired spot price. Defi apps like BzX, Dydx, and Compound use price oracles to determine the prices across various decentralized exchanges (DEX) like Kyber’s Uniswap.
The Harvest Finance Debacle
On October 26, an attacker performed a theft of funds from the USDC and USDT vaults of Harvest Finance, a DeFi protocol developed by an anonymous team. The hacker exploited an arbitrage loss that influences the value of individual assets inside the Y pool of Curve.fi.
The attacker drained $33.8 million from Harvest and then returned $2.5 million for reasons unknown, according to a post-mortem report published by Harvest. The previous speculations estimated the loss of about $24 million.
Analysis of the Attack
- The attack initiated in transaction:
- The attacker sourced a large amount of USDT and USDC from Uniswap into the attacking contract.
- The attacker executed 17 attack transactions aimed at the USDC vault within 4 minutes and another 13 transactions targeting the USDT vault within another 3 minutes.
- The attacker then converted the funds to renBTC and exited to BTC.
- By the end of the attack, the hacker had stolen $33.8M from Harvest.
- Later, The attacker transferred some funds back to the Harvest deployer. This was 1,761,898.396474 USDC and 718,914.048541 USDT.
Simply put, the price manipulation on the Curve Y pool allowed the attacker to drain Farm USDT (fUSDT) and Farm USDC (fUSDC) tokens from Harvest.
Flash loans are a burgeoning innovation in the DeFi industry, but they’ve certainly made a lasting impression. This concept of uncollateralized loans opens up a whole new world of possibilities in a new financial system. We’re still far from having a sustainable architecture for building the financial system of the future, but, ultimately, flash loans have laid the foundation for innovative new applications in decentralized finance.
To steer clear of any such vulnerabilities and loopholes, connect with us today to get an audit for your smart contract