Flash loan attacks are when malicious actors exploit a smart contract.
Flash loan attacks are decentralized finance (DeFi)
exploits where a smart contract
designated to support the provision of flash loans is attacked in order to siphon assets stored in any particular pool. In such attacks, the malicious actor opens a loan, uses that borrowed capital to purchase other assets with arbitrage and quickly pays their loan back, taking the assets left with them throughout the whole process as their profit.
It is important to understand that this exposure can only happen within DeFi protocols since they are permissionless
and entirely run by smart contracts. While disintermediation provides a lot of benefits like cost savings and censorship resistance, having no third party overseeing the provision of uncollateralized loans provided through flash loan contracts make DeFi platforms susceptible to such attacks.
This type of malicious activity is actually complex and difficult to pull off, yet somehow there are many cases where cybercriminals have succeeded in this endeavor.
Most flash loan attacks involve using borrowed capital to arbitrage assets from other DeFi protocols. For instance, in one of the bZx protocol attack
, the hacker took out a loan from a contract and immediately converted it into stablecoins. But since smart contracts only function based on the data fed to them, they can be vulnerable to some exploits. The attacker took advantage of that by manipulating the price of the stablecoin, sUSD, by placing a large buy order on it, which helped drive the price of the stablecoin to twice the value it was supposed to be. From there, he took out a bigger loan using the sUSD he swapped as collateral. Then, he repaid all these loans and took away the remaining assets with him as profit.
Another well-known flash loan attack occurred earlier on, on the same platform. The flash loan attacker took out a flash loan on dYdx, which is a lending DApp, and sent the capital from that flash loan to both Compound and Fulcrum — on Fulcrum, the attacker shorted ETH against Wrapped Bitcoin (WBTC), while also taking out a Compound loan of WBTC. Without getting too much into the specifics, when WTBC's price pumped due to the effects of Fulcrum acquiring WBTC, the flash loan attacker flipped their WBTC on Uniswap, repaid their own and got away with any of the leftover ETH.
In May 2021, popular Binance Smart Chain-based yield farming aggregator PancakeBunny experienced a flash loan attack as well. The flash loan attacker borrowed a large amount of BNB on PancakeBunny, thus manipulating its price against both the Binance USD stablecoin and Bunny
tokens — when the flash loan hacker dumped their Bunny on the market, the price plummeted.