Most of us are at least somewhat familiar with how traditional loans work. It’s usually something like this: the borrower fills in some paperwork, proves that they’ve got a steady income stream or puts down collateral, waits for the loan to be approved, before paying it back with interest within an agreed term.
Flash loans flip this model completely on its head by providing an entirely new way to borrow money, agree on terms, and make repayments. Equal parts impressive and terrifying, flash loans are tearing their path through the blockchain industry, unraveling protocol loopholes and bugs along the way while providing users with arguably the most capital-efficient way to manage digital assets.
What are Flash Loans?
Flash loans first came into common usage in 2020 when Aave, a popular blockchain-based money market, began offering zero-collateral loans that meet specific requirements.
In essence, they are a type of loan that sees a lender borrow funds and then pay them back to the lender within a single transaction. Broadly, flash loan transactions can be described by the following three transactions phases:
- Phase 1: Borrow funds at an agreed interest rate;
- Phase 2: Use borrowed funds to secure a profit through one of a variety of DeFi protocols
- Phase 3: Return borrowed funds and interest to the lender, and keep the excess profit.
These loans are generally executed and completed in just seconds, which makes them ideal for capitalizing on extremely transient opportunities and maximizing capital efficiency for the lender. Given that flash loans are incredibly short-lived, they tend to attract an extremely low fee — this is set at 0.09% on Aave but can vary on other platforms.
They are one of the few ways to borrow funds without putting up any collateral in return — since the lender is generally at no risk of losing money. As a result, they’re also considered one of the safest loan types for both counterparties.
Unlike typical loans, there are no credit checks, collateralization requirements, lengthy negotiations, or even paperwork to complete. Flash loans can generally be secured within just seconds and are becoming increasingly accessible and widespread. Since the terms of the loans are automatically enforced by smart contracts, they’re also incredibly secure and reliable.
How are Flash Loans Used?
Today, the vast majority of flash loans are used to benefit from arbitrage opportunities — which is the process of exploiting price inefficiencies in markets by buying an asset low on one platform before selling it higher on another. Since this takes place within a single transaction, the profit is guaranteed or the transaction will revert.
Because users can often borrow far more using a flash loan than a traditional one, they can be used to extract profit from even tiny price discrepancies between platforms, making them an incredibly powerful tool for arbitrageurs.
Flash loans are also commonly used for debt refinancing, whereby a user uses a flash loan to pay off a pre-existing loan and takes out a similar loan with a lower interest rate from a different platform. By doing so, the borrower migrates his debt to a platform that charges less interest and ends up in a better position overall.
The Problem of Flash Loan Attacks
Although flash loans have been hailed as an incredible new financial primitive, their novelty has already sent ripples throughout the decentralized finance (DeFi) landscape due to their potential to drain liquidity from flawed protocols.
Over the last two years, there have been well over a dozen well-documented examples where flash loans have been used to extract value from DeFi protocols.
Arguably the most prominent of these was the February 2020 bZx attack, which saw a user extract $350,000 worth of ETH by using a flash loan of 10,000 ETH to cause considerable slippage in the ETH/BTC exchange rate through a series of on-chain trades.
Since bZx relied on Uniswap’s price feeds for its ETH/BTC pricing information, the attacker was able to manipulate this figure by causing significant slippage and closing his large short in profit, before paying down the flash loan and securing his gains.
Despite apparently patching the bug that allowed this to happen, another user performed a similar attack just days later, forcibly manipulating an exchange rate to secure a profit using a series of large orders. This time, the flash loan attacker used a large leveraged long to siphon value from bZx.
Since 2020, flash loan attacks have been increasing in both number and severity. Now, several protocols have suffered losses in the tens to hundreds of millions of dollars as a result of a flash loan exploit. The largest so far occurred back in October 2021, when Cream Finance saw $130 million drained from its coffers in a transaction that cost the attacker approximately 9 ETH in fees.
A full breakdown of the steps executed in the flash loan was revealed in a review by blockchain security firm BlockSec. As you can see, the loan once again relies on temporarily manipulating the exchange rates provided by an oracle to secure a profit.
Unfortunately, while the person who executed the flash loan can net an incredible profit, it’s often at the expense of the exploited protocol and its investors — who end up bearing the brunt of the damage. Likewise, since most flash loan “attacks” simply rely on exploiting market inefficiencies, bugs, and protocol limitations, they’re generally considered to be operating in a legal grey area — which means the users that are affected by these attacks are likely sorely out of pocket with little to no recourse.
Protecting Yourself Against Flash Loans
As the benefits and risks associated with flash loans become better understood, protocols are increasingly taking steps to minimize or eliminate the risk of flash loan attacks.
One of the most popular defenses against these attacks are so-called “tamperproof oracles” — which are essentially oracles that cannot be simply manipulated by a single transaction. This can be accomplished by aggregating data from a variety of data sources, while potentially eliminating outliers. This ensures that the protocols that leverage these price feeds can be sure that a sudden mass purchase or liquidation event will not affect their customers.
Some examples of tamper-resistant oracles include Chainlink and API3, these both aggregate pricing data from multiple sources before serving it to end-users.
Other DeFi protocols are beginning to move to the time-weighted average pricing (TWAP) model to price their assets, e.g. by weighting the value of assets at each block). This would essentially eliminate flash loan attacks since the attacker will be unable to successfully manipulate the price of assets across multiple blocks, since they only get one transaction (and hence one block) to complete their actions.
From the user perspective, the best way to prevent being exposed to the ill-effects of flash loans is to do one or more of the following:
1)Better understand the structure and dynamics of flash loans by creating their own. This can be achieved by using one of the numerous platforms that now offer flash loans, including dYdX, Aave, and Furucombo.
2)Avoid platforms that may be susceptible. Numerous DeFi protocols can be and have already suffered flash loan attacks. The most common targets are those that use a single data source for their pricing information.
3)Take out insurance coverage against possible attacks. A wide variety of decentralized insurance providers now offer protection against flash loan attacks and other exploits — this includes popular options like Nexus Mutual, Bridge Mutual, and InsurAce.
As we previously touched on, flash loans are an incredibly new phenomenon, and the flash loan landscape is still evolving rapidly. Because of this, it may take some time until most popular DeFi protocols are hardened against flash loan attacks, and there will likely be further exploits in the near future.
As always, the more educated you are on flash loans and their workings, the better you’ll be able to protect yourself. With that in mind, we recommend familiarizing yourself with this 2021 research paper entitled “Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit” by Imperial College London for a more comprehensive overview of flash loans and their risks.
Want to learn more about blockchain technology and keep informed of the latest Master Ventures news? Considering following us on Twitter and Medium!
About Master Ventures
Master Ventures is a blockchain-focused venture studio helping to build the next generation of blockchain-based Web 3.0 system innovations within the crypto industry. Launched in 2018 by Founder and CEO Kyle Chassé, the company’s ethos can best be summarized in the acronym #BeBOLD: Benevolent, Open, Love, Decentralized.
Master Ventures co-creates with entrepreneurs and businesses worldwide to turn the best ideas into innovative and disruptive products. They do this by investing as strategic partners through offering advisory services to the projects they believe in. To date, Master Ventures has invested in over 40 crypto projects, including the likes of Kraken, Coinbase, Bitfinex, Reef, DAO Maker, Mantra DAO, Thorchain, and Elrond.
For any questions, please feel free to reach out to us on:
