What is a Flash Loan Attack?
A flash loan attack is something unique in the DEFI world, but it is something you should be wary of, especially if you too are using decentralized finance to meet your financial needs.
A flash loan attack is when a malicious actor leverages a collateral-free cryptocurrency loan in order to manipulate market prices. While it may sound complicated, this is unfortunately a common exploitation. Read on to learn everything you need to know about flash loan attacks.
What is a Flash Loan Attack?
In layman’s terms, a flash loan attack is when a malicious actor submits for a collateral-free loan on a decentralized finance platform for the purpose of affecting market prices and other assets held by the platform. While the effects of this loan are short-lived, it is often enough for the malicious attacker to make a large profit.
How Does a Flash Loan Attack Work?
Before we dive into how these attacks work, it’s important to recognize what a flash loan is. A flash loan is an instant loan given to a user without collateral; however, this loan must also be settled in the same transaction—basically, only loaning the individual the assets for a few moments. While this may sound pointless, it is actually used legitimately to make swaps and consolidate debt. But like everything in life, there is a dark side to these loans, which is where the word “attack” comes in.
Basically, a flash loan attack starts when the perpetrator opens a loan on a DeFi platform and receives the borrowed funds, and begins using them to leverage different aspects of the platform. The attacker may even withdraw or trade before the initial loan transaction is finalized. Once the loan is finalized, the attack is done, and the platform is often missing money or assets.
As you can imagine, much of this is happening so fast that it’s hard to catch individuals while they are perpetrating a flash loan attack.
Can a Flash Loan Attack Happen Anywhere?
For as scary as flash loan attacks sound it’s important to understand that they can’t happen on every platform. Most DeFi platforms are aware of these attacks and have safeguards in place. That being said, attackers who perpetrate these crimes do so because they’ve found a loophole, weakness, or some sneaky way to execute their plan that the platform doesn’t know about.
Types of Flash Loan Attacks
There are multiple types of flash loan attacks, and new ones are being discovered all the time. Below are the four most common types of attacks.
1. Oracle Manipulation
First on our list is also the easiest and most common type of flash loan attack. During this attack, the malicious actors leverage a platform’s oracle chains, causing them to report different information to other DeFi protocols. Meanwhile, the actor is in place on the other protocol to take advantage of the price fluctuation, making off with their spoils from the other transaction before the initial loan transaction is complete.
As you can imagine, this is the most common and most difficult flash loan attack to protect a platform against.
2. Reentrancy Attacks
These attacks are much rarer, as most DeFi protocols have tests to ensure their systems don’t have this vulnerability. Still, it does happen, especially on new and untested platforms.
This vulnerability is basically a mistake in code, allowing multiple calls to a certain function before ending the previous function. As such, someone can withdraw more than their account balance from their account, as they keep hitting ‘withdraw’ before the system finishes recording that their balance is at zero.
3. Exploiting Governance Mechanisms
This one is the least common on our list and is self-explanatory. Basically, the malicious actor will utilize a flash loan to gain a bunch of governance tokens for a platform, then propose something to a vote while they have the majority voting power. The good news is, this isn’t often possible during the time frame of a flash loan, especially on the larger DeFi platforms, which is why it is the rarest.
4. Liquidity Pool Draining
Liquidity pool draining is the second most common flash loan attack, though it is also one of the more preventable ones. During this type of attack, the malicious actor uses their flash loan to deplete the liquidity pools, withdrawing more than they deposited.
As you can imagine, while this can cause substantial losses, it can also be prevented with protocol and loan limits.
Famous Flash Loan Attacks
As we mentioned, flash loan attacks are sadly quite common, and there have been quite a few since the advent of DeFi. The most famous is the Cream Finance hack in 2021, which drained $130 million from the platform, utilizing oracle manipulation to drain liquidity pools. Unfortunately, the platform went insolvent and was never able to recover.
The largest flash loan attack was none other than the Euler Finance hack, where, in 2023, a user was able to take advantage of the fact that the platform’s token burning mechanism wasn’t working and, as a result, made off with the equivalent of $200 million USD in tokens. However, crazy enough, the perpetrator of this attack actually reached out to return the funds, and the Euler Finance platform was able to bounce back from this devastating hack.
There have been a few other flash loan attacks, such as the PancakeBunny attack and the Harvest Finance attack. While both of these resulted in a loss of millions, they weren’t quite as bad as the attacks listed above.
Now we know we just barely scraped the tip of the iceberg on flash loan attacks in this article, and not to worry, we plan to dive deeper into this topic as the days go on. Unfortunately, flash loan attacks are some of the scariest and most devastating hacks because of the speed with which they occur. So, if you want to learn more, be sure to check back in a few days from now for the next installment!
