How to Protect Against a Flash Loan Attack
Flash loan attacks are a serious concern for DeFi platforms. While they can affect customers, usually they leave the company behind the platform holding the bag.
Using an auditing company to check smart contracts, employing reentry guards, and certain timing measures can help protect against a flash loan attack. Read on to learn more about methods and risks associated with flash loan attacks.
What is a Flash Loan Attack?
Before we dive in, let’s recap. A flash loan attack is a particularly annoying and fast type of hack. Basically, the malicious actor leverages a zero-collateral loan executed by a smart contract, and while the loan is executing, they perform malicious actions. These actions can result in them stealing money from the platform, or abusing arbitrage opportunities on connected platforms. Regardless, everything happens quickly, in a single transaction, making it impossible to stop them before it’s too late.
The most famous flash loan attack is the Euler Finance Hack, where the malicious actors were able to take advantage of a smart contract error in which tokens weren’t properly burned to steal millions from the platform.
What Are the Risks of a Flash Loan Attack?
Flash loan attacks are serious, and they often put a cryptocurrency platform out of business. While some lucky platforms, like Euler Finance, survive, most don’t, especially once government entities get involved. Because flash loan attacks are often found to result due to a lack of proper coding or negligence, any flash loan attack that ends a business in court is unlikely to be ruled in favor of the business.
Even if a platform is able to survive a flash loan attack politically, the costs and losses of such hacks start in the millions of dollars. In fact, the least serious flash loan attack we are aware of (The Bzx attack in 2021) resulted in a loss of $1million.
Not to mention that you will lose customer confidence after a flash loan attack—something which sends many cryptocurrency platforms into the death spiral of no return.
How to Prevent Flash Loan Attacks
Below are several ways a flash loan attack can be prevented. It’s important to recognize that there are many types of flash loan attacks and, therefore, the best solution is to employ several, if not all, of the methods below to ensure your platform is truly protected.
1. Utilize Third Party Auditors
Almost all flash loan attacks occur because of a weakness in code or procedure that has been found by the malicious actor. Typically, because these attacks happen so fast, the malicious actor must map out all of their actions in advance. Because once they start the zero collateral loan, they have to execute with speed.
The best way to prevent against this is to have all code reviewed by a third-party auditor prior to launch. Additionally, you should utilize regular checks to ensure updates don’t accidentally cause unforeseen weaknesses in the older code. In our opinion, though this is expensive, it is one of the only sure-fire ways to protect your platform from these attacks.
2. Employ Reentrancy Guards
Of course, even the best audit companies may miss something crucial, so our next advice is to utilize reentrancy guards whenever possible. These guards will stop individuals from re-entering the same code or function over and over. Meaning if they do find a bug, they will only be able to execute it once before they are blocked from trying again.
Unfortunately, sometimes all a hacker needs is a single transaction to steal millions, in the case of the Cream Finance Hack, this protection may have saved their platform.
**There are many AI mechanisms which are being trained to watch for this type of malicious activity. While we are hesitant to trust AI with something so critical, it is something to keep an eye on for the future.
3. Test All Interoperable Mechanisms
Many flash loan attacks originate due to oracles, or other mechanisms that don’t always belong to the platform that is the subject of the attack. When a platform utilizes interoperability with other platforms, it opens itself to weaknesses it can’t always prevent.
As such, developers toe the line when it comes to making new platforms. Increased interoperability often means increased usability, but it also increases the danger. Our recommendation is to leverage interoperability with care and ensure that any platform your organization can connect to utilizes the same rigorous standards as you do for your platform.
4. Use More Oracles
Many flash loan attacks target oracles and the price changes they report in order to facilitate trades off platform. While these types of flash loan attacks aren’t as harmful for your platform as the others, it can lead to trader disappointment and government investigations.
The best way to prevent an attack focused on the information oracles report is by doubling up on all oracles—this means that if your platform has a trading function, that it receives information from more than one external source. This way, if one of the platforms that oracles into yours is attacked, it won’t cause the same massive price fluctuations.
5. Utilize Cybersecurity Practices
The issue is, we tell you all this today, yes, everything could change tomorrow, as is the nature of cyberattacks like the flash loan attack. The point is you can’t grow complacent. Any cryptocurrency platform looking to make itself resilient should employ a cybersecurity professional—either for the purposes of regular review, or as someone who can continually build the platform to be safer. Regardless, we know this is expensive, but even a quarterly review by a professional could go a long way.
Overall, flash loan attacks are often the killing blow for cryptocurrency platforms. Before you launch, ensure you undergo a proper audit process and that safeguard measures are installed. You should also consider testing, as well as regular reviews by a professional. While this is a lot, these methods utilized together are some of the only ways to prevent your platform from becoming the victim of a flash loan attack.
