paint-brush
Flash Loans and What They Mean for Securityby@mishunin
708 reads
708 reads

Flash Loans and What They Mean for Security

by Dmitry Mishunin5mMay 31st, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

A Flash loan is a mechanism that allows users to take out a loan without supplying collateral. It is considered fairly safe for the loan provider since a flash loan is performed in one transaction. Users don’t need to own massive funds or pay collateral, and there is no requirement to provide any documents, pass KYC, etc.
featured image - Flash Loans and What They Mean for Security
Dmitry Mishunin HackerNoon profile picture

A Flash loan is rarely a sign of good news. That’s because we’re mostly used to hearing it as part of a collocation ‘flash loan attack’. But flash loans play a crucial role in delivering one of the fundamental promises of the decentralized finance system: accessibility.

What is a Flashloan?

A Flash loan is a mechanism that allows users to take out a loan without supplying collateral.

It is considered fairly safe for the loan provider since a flash loan is performed in one transaction.


There are three steps that make for a successful flash loan:


  • The user borrows assets

  • The user performs the necessary operations with their loan. Often, loans are required for purchasing tokens and trading them.

  • The user pays off the loan and, if needed, the required fees.


This technology is available to everyone, and the key to its safety is simple: if the transaction in Ethereum fails, all the changes made to it, are reverted.

Therefore, if someone borrows funds and is unable to pay them back, the transaction is rejected by the lender. In this case, all operations, including the loan itself, are reversed and the caller only has to pay their gas fees.

The lender doesn’t lose or risk anything.


This is the beauty of this technology: to make a flash loan and manipulate a million dollars worth of assets you don't need to be a millionaire. In fact, users don’t need to own massive funds or pay collateral, and there is no requirement to provide any documents, pass KYC, etc. All you need is to have enough tokens to pay for the transaction gas and have a guaranteed way to earn additional funds for the borrowed funds fee.


Most Common Use Cases

The simplest way to understand the benefits of flash loans is to take a look at the place they are taking in the decentralized world.

Arbitrage

One of the most common uses of flash loans, arbitrage is an opportunity for a user to take advantage of price differences of various assets on the market. Let’s imagine a trader discovering that Ethereum (ETH) is sold at a rate of 2000 USDT on the Uniswap exchange and 2005 USDT on the Sushiswap exchange. Suppose the trader has 1000 USDT at their disposal. To simplify the explanation, we'll forego swap fees and price fluctuations.


The trader can purchase 1 ETH for 2000 USDT on Uniswap and immediately sell it on Sushiswap to retrieve 2005 USDT, thereby netting a profit of 5 USDT. Now, with the introduction of a flash loan, this strategy can be amplified.

Let's say, the trader takes out a flash loan for 100,000 USDT. With this, they can make a significant profit of 500 USDT by applying the same trading strategy, and subsequently use a portion of this profit to cover the flash loan fee. As a result, the trader is able to leverage a larger capital without upfront collateral and magnify their earnings, thanks to the potential of flash loans.


Collateral Swaps

A collateral swap is a situation in which one collateral is exchanged for another. Let's say, you are lending $100k worth of ETH to a lending protocol and borrow stablecoins for $70k. You believe that ETH is about to go down and want to trade it for wrapped BTC (WBTC). To do so, you need to first pay stablecoins, then withdraw Ethereum and swap it for BTC, put the assets into the lending protocol as collateral, and borrow the stablecoins again. This sounds quite complicated. And if you don't have the stablecoins to repay the debt right away or the price fluctuates during the operations, you won’t be able to complete your trade. All these issues are solved by flash loans: they allow one to borrow funds and perform trading operations within one transaction without price fluctuations.


Liquidations

If a position in a lending protocol is subject to liquidation, to earn a liquidation bonus a user has to repay the borrowed assets. After that, they get the collateral and a bonus. Without a flash loan, the liquidator must have sufficient balance to repay the position's debt. Using flash loans, the liquidator needs a certain amount of funds: they repay the debt, swap the collateral and pay the loan fees with the liquidation bonus.


How to Take out a Flash Loan

For flash loans to function, a smart contract is required. The contract would dictate what and how exactly would the system work. Initially, it was a complicated process that required deep understanding. In some ways, it still does, but in recent years, flash loans, like the majority of DEFi tools, have been employing GUI. It’s reasonable since the target audience of flash loans doesn’t have to possess extended knowledge. Recently, new services emerged to make a GUI for flash loans. However, a GUI is limited by what each specific one allows you to do.


How Flash Loans can be Exploited

Despite the transformative potential of flash loans in the DeFi ecosystem, they are not without controversy. As was mentioned above, flash loans are quite often exploited to manipulate asset prices. A vast number of DeFi projects base their reward systems, liquidation thresholds, and other crucial mechanisms on the prevailing asset prices. Consequently, flash loans offer individuals, even those with limited capital, an avenue to influence these prices by temporarily controlling millions of dollars. Flash loan attacks are frequent and dangerous. They affect protocols and all their users, causing massive damage.


How to Protect Yourself Against a Flash Loan Attack

The most common misconception about protecting assets from flash loan attacks is that not allowing the contracts to be called by other contracts is a helpful approach. Calling of functions in a contract can be restricted to externally owned accounts (EOA) only. This, in fact, makes it impossible for a contract to be called during a flash loan, since flash loans require your contract to be called by another one. This same solution complicates integration with other DeFi services. And it’s imperative for many different projects to be able to work seamlessly with different platforms and DApps.


The bottom line is, it doesn’t guarantee protection against price manipulation attacks, just makes them more complicated for the attacker. To succeed in preventing flash loan attacks, developers have to incorporate solutions into their initial code. So far, setting up limits and time delays helps to create an environment unwelcoming for hackers. The most attractive features of flash loan attacks are their accessibility and lucrative profits. By eliminating one or both of the aspects, you are more likely to succeed.



The lead image for this article was generated by HackerNoon's AI Image Generator via the prompt "Loan from bank in the sky"