What Are Flash Loans in DeFi?

Introduction

In the realm of digital currencies, many are eager to reshape the traditional financial system. However, some skeptics in the blockchain space may hold differing views. Nevertheless, there are indeed some compelling infrastructures being gradually established.

The primary goal of decentralized finance (DeFi) is to create a permissionless, decentralized, and transparent financial ecosystem. Digital currencies have proven that this goal is achievable. Every day, systems like Bitcoin play a significant role in global value transfer.

Today, a new wave of DeFi technologies is emerging. Users can apply for cryptocurrency-based loans, trade digital assets in a trustless manner, and store wealth in tokens with price stability similar to fiat currencies.

Next, we will explore a unique form of lending—flash loans. You will see that this is a distinctive new highlight in the evolving DeFi landscape.

How Traditional Loans Work

Most people are familiar with how traditional term loans function. Nevertheless, this article will provide a brief overview for comparison purposes.

Unsecured Loans

Unsecured loans are loans that do not require any collateral. In other words, you have no assets to return to the lender if you fail to repay. For example, suppose you want to buy a gold chain worth $3,000, but you don’t have enough cash on hand and will only receive your paycheck next week.

At this point, you approach your friend Bob, explaining your urgent need for the gold chain and how it could increase your trading profits by at least 20%. After hearing your explanation, Bob agrees to lend you $3,000, but only on the condition that you repay him immediately once your salary arrives.

Since he is your good friend, Bob does not charge you any fees for this loan. However, not everyone would be so lenient. While Bob trusts you to repay on time, those unfamiliar with you would have no way to assess your reliability.

Before granting unsecured loans, financial institutions typically conduct credit assessments. They review your credit history (credit score) to evaluate your repayment ability. If they find that you have consistently repaid multiple loans on time in the past, they may consider you reliable enough to lend you the money.

At this point, the financial institution would disburse the loan to you, often with various terms attached, such as charging interest. To access funds quickly, you must repay both the principal and interest in the future.

Credit card users are quite familiar with this transaction model. If payments are not made on time, corresponding interest accrues until the total amount (including other fees) is repaid.

Secured Loans

Sometimes, even a good credit score is not sufficient to secure a large loan. Even if you have repaid all your loans on time for decades, you may still encounter difficulties borrowing money. In such cases, providing collateral is usually required when applying for a loan.

If you request a large loan from someone, they take on considerable risk by accepting your request. To mitigate their risk, lenders typically require borrowers to provide collateral. The borrower must offer an asset (such as jewelry, real estate, etc.), which the lender can claim if the borrower fails to repay on time. The idea is that the lender can recoup some losses through the collateral. In short, this is what a secured loan entails.

Suppose you want to buy a car worth $50,000. While Bob trusts you, he is unwilling to lend you the money unsecured and instead asks you to provide some collateral—like your collection of jewelry. If you are unable to repay the loan, Bob can take back your collectibles and sell them.

Flash Loan Attacks

The field of digital currencies and its derivative, decentralized finance (DeFi), remains highly experimental. Given the vast sums of money involved, it seems inevitable that vulnerabilities will emerge. Within the Ethereum network, we have witnessed events such as the DAO hack in 2017 and numerous protocols falling victim to 51% attacks.

In 2020, attackers profited nearly $1 million through two high-profile flash loan attacks, both following a similar pattern.

First Flash Loan Attack

In the first instance, the borrower applied for a flash loan of Ether on dYdX, a decentralized lending application. They subsequently divided this loan into several parts, transferring them to two other lending platforms: Compound and Fulcrum.

On Fulcrum (built on the bZx protocol), the attacker utilized part of the loan to short sell Ether and exchanged it for Wrapped Bitcoin (WBTC), which meant that Fulcrum needed to purchase WBTC. This information was then relayed to another DeFi protocol—Kyber—and an order was executed on Uniswap, a prominent decentralized exchange based on Ethereum. However, due to low liquidity on Uniswap, the price of WBTC surged significantly, causing Fulcrum to pay a higher price for the purchase.

Meanwhile, the attacker used the remaining dYdX loan to secure another WBTC loan from Compound. As the price skyrocketed, the borrowed WBTC successfully doubled in value on the Uniswap platform, yielding substantial profits. Finally, they repaid the dYdX loan and pocketed the remaining Ether.

This operation may seem complex and daunting, even difficult to understand. However, the key point is that the attacker exploited five different DeFi protocols to manipulate the market. Shockingly, all of this was accomplished within the time required to confirm the initial flash loan.

So, where did the problem lie? The answer is in the bZx protocol used by Fulcrum. The attacker manipulated the market, resulting in an overvaluation of the current WBTC.

Second Flash Loan Attack

It was a particularly unfortunate week for bZx. Just days later, it faced another attack. The attacker obtained a flash loan and converted part of it into a stablecoin (sUSD). Stablecoins are typically pegged to the value of fiat currencies, which is why they contain "USD" in their name.

While smart contracts may sound intelligent, they are not infallible. They do not know the true price of stablecoins. Therefore, when the attacker purchased a large amount of sUSD using the borrowed Ether, the price of sUSD in Kyber doubled.

bZx mistakenly assumed that the value of sUSD was $2 instead of $1. Subsequently, the attacker secured a loan of Ether from bZx that exceeded the platform's usual limits, as their $1 tokens effectively had $2 purchasing power. Ultimately, the attacker successfully repaid the initial flash loan and pocketed all remaining funds.

What Are the Risks of Flash Loans?

Regardless of the legality of their actions, this unique form of attack showcases the ingenuity of attackers. Looking back at their methods, the principles are not overly complex. bZx should have utilized different price oracles to obtain data. However, the cost of such fraud is remarkably low—attackers do not need to make significant investments, nor are there economic deterrents to prevent them from carrying out their attacks.

Before the advent of flash loans, individuals or groups attempting to manipulate the market needed to hold substantial amounts of digital currencies. Now, anyone can become a whale in seconds. As mentioned earlier, attackers can seize hundreds of thousands of dollars worth of Ether in mere moments.

On the positive side, other participants can learn valuable lessons from these two attacks. However, is it possible for others to successfully replicate these attacks? Given that these methods are now widely known, this possibility cannot be ruled out. The second attack demonstrated that oracles still have many vulnerabilities, and addressing these gaps will require considerable effort.

Overall, the issue does not lie with flash loans themselves. Specifically, the problem arises from vulnerabilities within other protocols, with flash loans merely providing the funding for such attacks. In the future, this form of DeFi lending may yield many interesting instances, especially given the relatively low risks involved for both parties in the loan.

Conclusion

As an emerging phenomenon in the DeFi space, flash loans have made a significant impression. This form of unsecured lending, enforced solely by code, opens up limitless possibilities for the new financial system. While current use cases are still relatively limited, flash loans undoubtedly lay a solid foundation for innovation in decentralized finance.

Risk Warning

While the cryptocurrency market offers significant growth potential and innovation opportunities, it also carries a high level of market risk and price volatility. The value of crypto assets can fluctuate dramatically in a short period, potentially leading to substantial financial losses for investors. Additionally, the cryptocurrency market faces multiple risk factors, including technical risks, legal and regulatory uncertainties, cybersecurity threats, and market manipulation. We strongly advise users to conduct thorough research and due diligence before making any investment decisions and to consult professional financial advisors. All investment decisions are made at the user’s own risk. Thank you for your trust and support of Venkate!

Building The Future of Crypto Exchange

Where Meet a Confluence of Inspiration and Innovation

Venkate Exchange is an innovative cryptocurrency trading platform, drawing its name and inspiration from Venkateswara—a deity symbolizing wealth and prosperity in Indian mythology.