Since the beginning of DeFi, we’ve all heard stories of hackers using flash loan attacks to steal countless millions of dollars from exploitable protocols, but what exactly are flash loans, and why do they keep getting attacked on such a seemingly consistent basis?
Flash loans are a relatively new form of uncollateralized loans available to traders within the DeFi sphere. Like traditional lending, they involve a lender who loans money to a borrower with the apparent expectation of repayment.
However, one of the most significant distinctions is that these flash loans utilize smart contracts, digital rules, or agreements that are immutably placed on a particular blockchain. Utilizing smart contracts makes this type of loan possible and gives traders access to unsecured loans without the need for intermediaries.
Flash loans have become both advantageous and popular because they allow users the ability to trade and arbitrage in ways that were not possible in the past.
These smart contracts link everything from borrowing to repayment and encapsulate the entirety of the agreement in a single instantaneous and uncollateralized transaction. That being said, if a borrower cannot repay the borrowed funds within the guidelines stipulated in the smart contract, then everything resets, and essentially the entire financial transaction is erased from ever happening in the first place.
In flash loan attacks, these hackers take out these large loans and use the funds to manipulate market prices to create specific arbitrage opportunities. They create artificial arbitrage opportunities by instantaneously borrowing, swapping, depositing, and borrowing.
The problem with this data is that in many cases, its accuracy depends on a single DEX as a protocol’s sole price oracle, so if an attacker can manipulate the price of an asset on that single exchange, this will lead to an inaccurate price date that would be fed to all protocols that relay on that DEX as a price oracle.
This issue often referred to as “The Oracle Problem,” acknowledges that even though integration with blockchains is meant to be trustless and decentralized, if an oracle goes down, produces incorrect values, or has a vulnerability somewhere, then the entire blockchain system is compromised.
Of course, this doesn’t lessen any of the blame that the hackers are responsible for, but it appears that there’s a bigger picture here – most of these attacks are oracle attacks. One of the most embarrassing things about all of this is that these attack vectors have not only been predicted, but even if that weren’t the case, they have happened so many times before; you’d think we’d have learned and adapted a lot quicker to avoid these mistakes.
All of this apparent singular focus on flash loans and attacks might distract us a bit too much from the much bigger issue concerning price oracles and DeFi protocols. If we focused more on advancing and utilizing decentralized oracles, such as Chainlink, to mitigate the risk of manipulation, we would naturally see fewer flash loan attacks taking place. The fact that hundreds of millions of dollars, if not billions, are still relying on these single points of failure needs to be more seriously addressed if any future advancement is to be made.
