HomeCryptocurrency NewsWhat are flash loan attacks — the phenomenon behind the latest $182 million hack

What are flash loan attacks — the phenomenon behind the latest $182 million hack

How do flash loan attacks work and what happened in the recent case where the hacker got away with $80 million? Scroll down to know more

By CNBCTV18.com April 20, 2022, 3:48:51 PM IST (Published)

Decentralised finance (DeFi) protocols have become the preferred playground for hackers. On April 17, 2022, hackers exploited DeFi platform Aave to make massive gains on the stablecoin protocol known as Beanstalk Farms. The hack has been categorised as a flash loan attack and has resulted in $182 million in total losses. The hacker not only escaped with $80 million worth of crypto gains but also diverted $250,000 as donations to Ukraine. As a result, the BEAN token plummeted by 75 percent from its initial peg of $1.

What are flash loans?

Liquidity protocol Aave allows users to borrow and settle loans instantaneously in a single transaction without providing any collateral. These are called flash loans. Smart contracts enforce the terms of these loans, and the entire process of borrowing and repaying the loan happens almost instantly.

As you can imagine, flash loans are no ordinary loans.

When your bank sanctions a loan, it asks you to attach some assets as collateral in the event of a repayment failure. For example, if you purchase a car through a bank loan, the car acts as collateral and is transferrable to the bank if you don’t return the money.

Also Read: What are Stablecoins, how they work, how to buy them, and other questions answered

However, in the case of a flash loan, the provision of collateral is completely bypassed. This is because it is designed to eliminate all chances for the borrower to default on the loan. How is that possible?

Flash loan transactions involve three steps. The first step is the user borrowing the funds, the second step is what the user does with the funds, and the third is the user repaying the loan.

If any of the steps are incomplete, the transaction fails, and the blockchain reverts to its pre-transaction state. It becomes as if nothing was borrowed in the first place.

There is no collateral since the loan is settled in this single transaction within seconds. Moreover, the transaction is not deemed completed until the funds are returned to the blockchain.

The most common use for flash loans (and flash loan attacks) is arbitrage trading. Arbitrage trading refers to the buying and selling of assets in different markets to take advantage of differing prices for the same asset.

In the crypto world, arbitrage trading allows investors to leverage price differences across various exchanges to earn a profit.

For instance, if a particular coin is $20 on Platform A and $25 on Platform B, arbitrage traders can take out a flash loan, purchase $2,000 worth of coins on Platform A and then sell it for $2,500 on Platform B. The trader then repays the loan, making a quick $500 in the process. Thanks to smart contracts, this can all be automated and done in seconds.

How do flash loan attacks work?

Once the borrower collects cryptocurrency, they must act within seconds of it. Now, data from such transactions across the world gets bundled into a block which is then added to the blockchain with no reversal mechanism. Different blockchains take different amounts of time to finish creating one block. For example, the Bitcoin blockchain takes 5 seconds, and the Ethereum blockchain takes 13 seconds.

Liquidity pools like Aave leverage the Ethereum blockchain because its smart contracts make the lending and borrowing process much simpler and automated. So, you can borrow substantial amounts of stablecoins, make multiple transactions in the 13-second window, and then return them to the protocol while bagging some profits.

Also Read: What happens when authorities seize Bitcoin and other crypto assets?

The protocol doesn’t care what you do with the money as long as it comes back to the pool with the fees. This incites hackers to leverage arbitrage opportunities in the process. But how would one quickly purchase crypto, make big trades, amass profits, and return the principal amount in seconds? This is manually impossible, you’d think. Well, not really.

Hackers exploit the very feature that makes Ethereum and flash loans so unique — smart contracts. To profit from a flash loan, hackers manipulate the market to create arbitrage opportunities. Price differences are induced by ‘flooding’ the blockchain with buy and sell order smart contracts.

Since these contracts are programmed to exchange the borrowed tokens for other tokens, the sheer volume involved increases the demand for the borrowed tokens and jacks up their prices in no time. The smart contracts then make the sales at inflated prices. And since this is all automated, it happens within seconds.

What happened in the case of Beanstalk?

Beanstalk posted a summary of the attack on its Discord server. According to this summary, the hacker used Aave to take out a flash loan. He then used the funds to purchase substantial amounts of Beanstalk’s governance token – STALK.

In the process, he garnered significant voting power. He used this power to pass malicious governance proposals that emptied all the protocol funds into a private Ethereum wallet. While the hacker got away with $80 million, the total loss to the network is pegged at approximately $182 million.

Other flash loan attacks:
- May 2021: PancakeBunny, a DeFi project powered by the Binance Smart Chain, was exploited, and over $200 million were lost. The token price skyrocketed from $140 to $240 and then crashed to 0.

-February 2021: $37 million were sucked out of the Alpha Homora Protocol when a hacker borrowed 1.8 million USDC (USD Coin) from Aave and made multiple exchanges using Curve to execute the hack. (The Alpha Protocol forced hackers to use multiple transactions by design.)

Also Read: Cryptojacking: What is it and how to protect yourself from such attacks?