Flash loan attacks: how can platforms protect themselves?
Hi there students,
The last couple of weeks have been hectic for BSC users, with various attacks popping up here and there. Just on top of my head I can think of Bearn, Venus protocol and PancakeBunny as examples. One interesting thing to note in these cases are that for most of them, a flash loan was used in order to manipulate in one way or another the price of a token, to fool a smart contract’s valuation of one’s position. So it seems that Flash loans are almost essential for those attackers. But what are flash loans? Why do they exist if attackers need them? What could be the solutions for platforms to protect themselves against them? Let’s deep dive into the concept of flash loan and think about how to improve it!
- What are flash loans?
A flash loan’s concept is really simple: the lending platform (PancakeSwap or Cream for example) lends you tokens without any collateral, as long as you pay it back in the same transaction. What does “same transaction” mean? It means that you need to have a smart contract that:
- borrows money from the platform,
- does whatever you want,
- pays back the loan (+fees).
If you do not pay back the loan, the contract will simply reverse as it never happened. So basically the lender has 0 risk, and you risk the gas fees. Remember, all of this happens on the blockchain, there are no ways to cheat the system.
2. How are they used by people?
They have multitudes of “good use”, like arbitrage or liquidations, but let’s focus here on the arbitrage to give you a better idea of the usage.
Let’s say you are a BSC user. And you identified that the BNB price on PancakeSwap was 350 BUSD, whereas it’s 400 BUSD on BakerySwap. So you could use your own money to buy BNB on PancakeSwap and sell it on BakerySwap. But you only have 1 BNB (don’t we all?), so despite the fact that you identified a wonderful arbitrage opportunity, you can only earn 50 BUSD.
Now let’s say Cream Finance can lend you 350m BUSD. You would be able to buy 1m BNB and sell them on BakerySwap, making you a gain of 50m BUSD. As long as your smart contracts, pays back the debt at the end of the transaction (which is easy when you have a big price difference). If you are thinking, it’s ridiculous that the platform would lend you 350m BUSD like this, let me tell you that on the 19th of May, an attacker borrowed $700m USD worth of BNB on PancakeSwap to attack PancakeBunny (see here: https://profum.medium.com/pancake-bunny-flash-loan-attack-bunny-loses-95-of-value-db6e8104183) . So yes you can borrow huge amounts.
And even though from my example you can only see benefits for the user, arbitrageurs are actually necessary for the market. Without people arbitraging, each exchange would have huge price discrepancies, which would make the trade market inefficient. Arbitrageurs are a major and important group of traders essential for the market efficiency.
3. How are flash loans used for attacks?
Attackers use the same logic as above, but they exploit the fact that they can borrow huge amount anytime. Arbitrage is when you take advantage of a price different on the market. But with enough cash to throw, you can make your own difference: you can manipulate the market price.
So for example they could borrow tons of money to buy a lot of a token to make the price go up, and use this spike in the price to arbitrage and earn money. There are several ways to manipulate a price to earn profit, but for a real life example I suggest you to read my article on the PancakeBunny attack.
4. How can platform protect themselves against such attacks?
The issue with flash loans is that any token’s price can be manipulated with enough capital. In PancakeBunny’s case, it was USDT, which is supposed to be a stablecoin. In order to efficiently protect platforms and user capital against such attacks, we can think of 2 main action plans:
a. Restrict the access to flash loans:
Right now, the issue is that anyone can take flash loans. Obviously, this is the point of decentralized finance right? However, we start to hear more and more feedbacks that huge tools such as flash loans should be restricted. There are several ways to restrict access to flash loans:
- A platform could for example request a collateral to use flash loans,
- or even make a whitelist of approved users that can take flash loans (the list would of course be voted through governance, like the validators for BSC).
b. Increase the security of the platforms.
We have seen cases like Alpaca Finance (disclaimer: I own Alpaca tokens and am biased, but this is not a financial advice), where they have an Oracle guard. The oracle guard disables functions to withdraw or add liquidity to their pools in case of big price spikes between exchanges, and turns off the liquidation function. This way, their users are protected against price volatility that happens usually during those attacks. This should be a good practice example that other platform should replicate. More details on the Oracle Guard here.
- To add further on Alpaca Finance: The platform is a leveraged DeFi platform, where users can farm in various pool with leverage. I believe this would be the long term model for leverage in the DeFi sector: by integrating the pool AND the debt in the same platform, Alpaca has basically separated itself with the rest of the lenders. This allows Alpaca to control the flow of their debt and protect their users accordingly.
This is it for today’s lesson! I hope that I helped you grasp the concept of flash loans, their merit and risks.
I will be back again with other exciting topics!
