Flash-Loan attacks on Decentralized Finance (DeFi) protocols have increased dramatically in recent weeks – How do these attacks work and what can DeFi projects do to protect themselves?
In most cases, DeFi protocol attackers use Flash Loans to manipulate price oracles. This makes it possible to exploit arbitrage to extract money from the protocols.
Only recently, the Cheese Bank was robbed of $3.3 million, prompting major protests in the community. Only a few weeks before, the DeFi project Harvest Finance fell victim to a flash loan attack. In total, the DeFi project lost the equivalent of almost 24 million US dollars.
Often the developers of DeFi projects only use a price oracle as a reference rate for their protocols. This means that attackers only have to manipulate a single price oracle to influence prices – but how exactly does that work?
What are Flash Loans?
Flash Loans are a new form of borrowing where a user can borrow a large amount of money without the need for collateral. This makes it possible to exert leverage without risking his own capital. The only condition is that users must repay the borrowed money within the same transaction into their credit.
In the long term, flash loans are a proven means of making markets even more effective. Currently, however, they may well pose a threat to DeFi protocols, as attackers using Flash Loans can mercilessly exploit errors or carelessness in DeFi protocols.
Why do DeFi projects become victims of Flash Loan attacks?
Flash Loans exploit arbitrage opportunities, which in itself is not a bad thing. In principle, it would be possible for anyone with sufficient capital to carry out such an attack without using a Flash Loan. But with the invention of Flash Loans, anyone can become a whale for a few seconds.
Since some of the DeFi projects have very low liquidity or are only based on a price oracle, it is possible to manipulate prices in order to exploit arbitrage opportunities.
This is why flash loans are in most cases not the real culprits, but the weak points in the smart contracts of DeFi protocols. If the Smart Contracts were programmed more robustly, Flash Loan attacks would not be possible.
Flash-Loan attacks on price oracle
In most cases, attackers use Flash Loans to manipulate price oracles. Price oracles deliver price data to DeFi protocols. Therefore, price oracles are third-party services that allow smart contracts to obtain external quote data outside their ecosystem.
Essentially, in an attack on a price oracle, attackers create artificial arbitrage opportunities by borrowing, exchanging, depositing and re-issuing a large number of tokens at lightning speed.
DeFi Flash Loan
Chainlink: Sequence of a Flash-Loan attack
Even though Flash Loans can be considered a dangerous tool in this context, the attacks would not be possible without an additional component. Indeed, many DeFi protocols obtain their quote data from centralised pricing oracles, which are easy victims of such attacks.
If the DeFi projects were to use decentralised oracle solutions, the risk of a Flash Loan attack could be drastically reduced. Decentralised price oracles, such as Chainlink, are comparatively difficult to manipulate. However, due to the increase in Flash-Loan attacks in recent weeks, it is likely that more and more DeFi projects will use decentralised pricing oracle solutions, otherwise they will not be competitive.