Flash loan attacks are no flash in the pan. They’re in fact becoming a very serious problem in the cryptocurrency and specifically decentralized finance (DeFi) space.
In this article we’ll take a look at what they are, how they work, and how to take profit from it if you are not the atacker.
What Is a Flash Loan Attack?
Flash loan attacks are a type of DeFi attack where a cyberthief takes out a flash loan (a form of uncollateralized lending) from a lending protocol and uses it in conjunction with various types of gimmickry to manipulate the market in their favor. Such attacks can occur in mere seconds and yet still involve four or more DeFi protocols.
Flash loan attacks are the most common types of DeFi attacks since they are the cheapest to pull off and easiest to get away with. They have been consistently making headlines since DeFi’s surge in popularity in 2020 and appear to be growing more rampant in 2021, spanning several hundred million dollars in losses to date.
How Flash Loan Attacks Work
Flash loans allow a user to borrow as much as they want with zero capital. For instance, if you’d like to borrow $70,000 worth of ETH, a lending protocol instantly gives it to you, but that doesn’t mean it’s yours. You need to do something with the borrowed funds in order to pay back the loan and perhaps pocket the excess amount.
For this to work, the process needs to happen fast and the debt must be repaid to the protocol in time, otherwise the transaction will reverse. A decentralized lender doesn’t require collateral from you since the agreement to pay your debt is enforced by a blockchain. Flash loan attackers thrive on finding ways to manipulate the market while still abiding by a blockchain’s rules.
Let’s explore two real-world scenarios of flash loan attacks that transpired in order to better illustrate the anatomy of these exploits.
Let’s revisit that bunny and its fatal attraction for hackers. The most recent flash loan attack as of May 2021 occurred at PancakeBunny, a BSC-powered yield farming aggregator, which suffered an exploit that caused its token to plummet by more than 95% of its previous value.
The attacker initially borrowed a large amount of BNB through PancakeSwap and used it to manipulate the price of USDT/BNB and BUNNY/BNB in PancakeBunny’s pools. This allowed the hacker to steal a large amount of BUNNY, which they dumped on the market, causing the price to crash. The hacker then paid back the debt via PancakeSwap.
Data suggests that the hacker was able to get away with nearly $3 million in profits, leaving a tarnished protocol in its wake.
Alpha Homora Exploit
The largest flash loan hack in 2021 occurred last February when the Alpha Homora protocol was drained of $37 million using Iron Bank, Cream’s lending platform. The leveraged yield farming protocol was hit with a series of flash loans.
The hacker repeatedly borrowed sUSD from Iron Bank via the Alpha Homora dapp, doubling the amount borrowed each time. This was done in a two-transaction process where the hacker lent the funds back into Iron Bank each time, which allowed them to receive Yearn Synth sUSD (cySUSD) in return.
Then, the perpetrator borrowed 1.8 million USD Coin (USDC) from Aave via a flash loan then swapped them with sUSD using Curve. The sUSD was used to pay back the flash loan and lend to Iron Bank, which enabled them to continuously borrow and lend more of them and receive a proportional amount of cySUSD each time.
Basically, the hackers rinsed and repeated this process many times, which allowed them to steal massive amounts of Creamy cyUSD that they in turn used to borrow other cryptocurrencies from Iron Bank. Hence, they borrowed 13K Wrapped Ethereum (WETH), 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI.
As you can see, the process can be quite complex and requires a series of steps that need to happen very fast, which is a testament to how far these attackers are willing to go.
How To Take Profit If You Are Not The Atacker
Once the attack is carried out, the price of the attacked token can decrease it’s value by approximately 90%.
This, makes the token attractive for the rest of the DeFi users since it represents great chances of obtaining huge profits when the price of the token begins to increase.
In the past days, many people have started to be on the lookout for this type of attack, to take advantage of the opportunity to buy an extremely valuable token, for an extremely low price.
This is where we come in. Our tool offers an alert service (in our iOS & Android App) and the possibility of executing a purchase order in case of a token in the user’s watchlist suffers an attack, just by holding our tokens.