Learn what Flash Loans or Flash Loans are, a powerful utility of DeFi protocols that allows you to operate with unsecured loans in order to leverage your positions for arbitration, trading and other financial operations within the huge DeFi ecosystem.
Lhe arrival of DeFi or decentralized finance protocols has allowed enormous flexibility in access to credit by people who participate in the crypto world.
We can see proof of this flexibility in flash loans or (ultra) fast loans. Thanks to this, DeFi users can access cryptocurrency loans very quickly and without the need to provide collateral for it. Yes, you read correctly, a crypto loan without guarantees, and all this thanks to its way of working.
What is a Flash Loan?
A flash loan or flash loan is nothing more than a scheduled loan on a DeFi-protocol, capable of offering a provision of funds to users without them needing to provide a guarantee (neither in cryptocurrencies, nor of any kind) for the funds that are lent to them. The DeFi protocol provides the user with access to some funds so that they can use them and return them to the protocol in the same operation, including the corresponding commissions.
In blockchain this is possible, because there is the possibility of programming a transaction so that it borrows funds, mobilizes them for different smart contracts of other protocols, the relevant exchange operations are carried out and, at the end of that same transaction, the loan money and its commissions are reintegrated into the initial protocol while the user withdraws with his earnings.
The important thing to note is that everything is done in a single operation, instantly, and all of it is registered in the same block of the blockchain where it is registered.
This idea arose thanks to the project AAVE, who designed this function in order to allow their users to access the liquidity of the protocol to carry out quick operations. In this way, the use of these fast operations is encouraged, which basically allowed them to do two things:
- Maintain liquidity in your protocol for regular operations of your protocol (loans and exchanges).
- Allow a new model of fast loans, which does not affect the real liquidity of its DeFi protocol.
Get started on Bit2Me and jump into the world of cryptocurrencies with a head start. Sign up easily and get €5 FREE on your first purchase with this link. Don't wait any longer to join the crypto revolution! Register
How does a Flash Loan work?
Now, How is it possible for AAVE to reach both points with flash loans? Well, the first case is easy to understand.
Think that every time a liquidity provider enters tokens into the AAVE protocol, that pool where it participates increases its liquidity (for example, adding ETH/USDT to AAVE). When the LP performs that operation, we can quickly see a transaction that adds both tokens to the AAVE pool earmarked for that pair of tokens. Those tokens are now in the power of the AAVE smart contract and are managed autonomously by the pool. Thus, the first point is fulfilled, and that is something that we are clear about.
However, for the second point, the developers apply a little cheat. In blockchain, there is a special point during the entire process of creating and confirming the transaction that is carried out, we are talking about the confirmation time within the network. At that moment, the transaction is in an "inconsistent" state, in which the operation appears to be performed (it has been created and has been issued to the network) and, at the same time, it is not confirmed (consensus has not been reached about of whether the transaction is correct or not and, therefore, has not been included in any block yet). In other words, the network nodes see the transaction, and can even report the account balance within the origin and destination wallets, even if there is no confirmation.
The latter is not uncommon, if you have ever carried out an operation with BTC, surely you will have made a transaction and you will see the balance reflected in your wallet, but some wallets do not let you have that money until it is confirmed by the network. It is money that "is" and, at the same time, "is not", you just have to wait for it to be confirmed, and this event occurs in all blockchain networks. It is precisely this state where the "trap" begins that makes it possible to execute flash loans.
Execution of the Flash Loan
During a flash loan, the DeFi protocol that makes the loan allows the money to "go out" into the hands of the borrower, who will use these funds for a series of operations with which he seeks to obtain some benefit.
Generally, the borrower uses that money to carry out exchanges in other protocols that in the end will allow him to obtain the desired benefits, recover the loan money and pay the necessary commissions for the entire set of operations carried out. All this in a single transaction, taking advantage of that small time that confirmation time and status provide «inconsistent» in which the protocols involved «see the money flow» to their respective pools. In the end, when the transaction is included in a block and its computation begins, then all the transaction programming is read and executed, whereupon the following happens:
- The flash loan is created and the borrower has the tokens, which come from the protocol pools.
- Intermediate operations requested by the borrower are executed, commissions are paid, the loan money and the profits obtained are recovered.
- Finally, the loan is repaid and commissions are paid, while the user withdraws earnings to his personal address.
In this way, the flash loan achieves its mission: to lend you money that is never under your absolute control, but that is used by other protocols to guarantee your operations because, as far as blockchain is concerned, you have the funds and the transaction proves it. The idea of flash loans is very similar to the credit guarantees of traditional finance, since the money is not really in your hands but in those of a third party (the DeFi protocol).
However, despite the enormous utility that this tool offers, DeFi protocols face a huge problem: the Flash Loan Attack, an attack by which a malicious actor is able to manipulate the loan granted to keep a huge amount of money.
How does a Flash Loan Attack work?
Now, DeFi protocols are not infallible, since complex smarts contracts are involved in all of this and may contain flaws. Although blockchain technology is very secure, bugs are no exception since, ultimately, they are pieces of software and as such have imperfections that can be more or less obvious. Attackers take advantage of this point to carry out a Flash Loan Attack on these protocols.
Generally, Flash Loan Attacks are used to exploit vulnerabilities detected in the protocols in order to take advantage of the loan capital, in order to subtract large amounts of money from the attacked protocol.
For example, an attacker can go to AAVE to request a flash loan and use it to attack a protocol such as Balancer. This is possible, because our attacker has detected a vulnerability in the system that calculates Balancer pool rewards, and with that knowledge, the hacker can use that weakness to make huge profits. Thus, the hacker asks for the flash loan, performs the operations to exploit the flaw in Balancer, refunds the payment to AAVE and withdraws with the profits that he surreptitiously stole from Balancer. Result? Our hacker takes the profit from him, AAVE gets his money and commission back, but Balancer and their LPs take a hit to their cash flow.
However, Flash Loans Attacks can present several attack vectors, since these depend on the programming of the attacked protocol. This is something that requires enormous technical knowledge on the part of the attacker, not just knowledge of programming smart contracts, but also knowledge of the blockchain platform on which those smart contracts run. Due to this, Flash Loans Attacks are quite complex to carry out, but the same goes for avoiding them, so the developers are constantly auditing and improving contracts to avoid these problems.
Click here to open your user account in Spanish for FREE and securely and receive a €5 gift.
Known Big Flash Loans Attacks
Some of the biggest known attacks are as follows:
- poly network, the attack was carried out in August 2021 and the attacker managed to steal the amount of 611 million dollars from the pool. The vector used was a flash loan attack that took advantage of a flaw in the Ethereum-BSC-Polygon cross-chain proxy and through which the aforementioned amount was subtracted.
- Cream Finance, October 2021, an attacker performed a flash loan attack to exploit a vulnerability in a function that controlled the token pricing system assigned to the platform's flash loan subsystem. Result? The loss of 140 million dollars.
- pancakebunny: In May 2021, a bug in the BUNNY token price calculations was exploited and as a result the attacker managed to make $45 million.
- Alpha Finance: The attack was carried out in February 2021. To do this, the attacker requested a flash loan in AAVE and, knowing of a vulnerability in the pool rounding system and a development pool (sUSD), used both flaws to manipulate prices within Alpha Finance and seize $37,5 million.
In any case, these are just some of the biggest and most well-known attacks. In the DeFi world there are many and a recommended space to keep abreast of them is Rekt. Always remember that DeFi is a world of opportunities, but there are risks, keep them in mind, learn and plan your strategies to protect yourself from them.