Decentralized finance (DeFi) has changed the way many of us think about financial services. This new sector has grown to over $100 billion in TVL and has introduced innovative solutions that could only exist in a blockchain-based ecosystem. One standout example of this is the flash loan, a type of loan unique to DeFi. Flash loans offer an unprecedented level of flexibility, but also carry some specific risks.
In this article, we’ll break down how flash loans work, their key differences from traditional loans, their applications, and their risks, including flash loan attacks.
A flash loan is a type of unsecured loan available in DeFi, typically on lending and borrowing platforms like Aave. Unlike traditional loans that require collateral and credit checks, flash loans operate on the principle that the loan must be borrowed and repaid within the same transaction. If the borrower fails to repay the loan, the transaction is reversed, ensuring no loss for the lender.
Flash loans leverage smart contracts and the unique mechanics of blockchain transactions. In addition, they offer unsecured, instantaneous loans. Here’s a breakdown of how they work:
Flash loans are carried out using smart contracts, which are self-executing codes that execute when particular conditions are met. A flash loan smart contract automatically carries out the loan when a specific condition is met: the money borrowed can immediately be paid back, along with the related interest.
For example, imagine Exchange A is selling ETH at $1,800, while Exchange B is buying ETH at $1,850. You want to make a profit by buying 10 ETH at Exchange A and selling them to Exchange B for a total profit of $500. You need a loan of $18,000, and this loan charges $400 in interest.
To achieve this through a flash loan, you would need to borrow $18,000 and be able to repay $18,400 simultaneously. In this transaction, you’d be left with a total of $18,500 after the sale. Since this is enough to both repay the loan and meet the interest payment, you could potentially use a flash loan to achieve this arbitrage trade.
The lack of collateral is the defining feature of flash loans. This is possible because the repayment happens instantaneously within the same transaction. Traditional lending relies on collateral to mitigate the lender’s risk. On the other hand, flash loans circumvent this requirement by ensuring that funds never leave the system unless repaid.
In traditional finance, banks need to perform credit checks to make sure the borrowing party will be able to return the loan. With flash loans, credit checks aren’t necessary. This is a direct result of the fact that there’s no risk for the lender. The smart contract empowering the loan transaction ensures payment. Borrowers must perform the intended operation and repay the loan within the same transaction. If any part of this process fails, the blockchain rolls back the transaction as if it never occurred.
Flash loans differ significantly from traditional loans in their mechanics, requirements, and use cases. Here’s a quick look at the main distinctions between them:
Feature | Flash Loans | Traditional Loans |
---|---|---|
Collateral | Not required | Required |
Repayment Period | Within the same transaction | Months or years |
Approval Process | Automated through smart contracts | Requires credit checks and manual approval |
Primary Use Cases | Arbitrage, liquidations | Personal expenses, business investments |
Risk for Lenders | None, loans are either paid or reversed | High, borrowers may default |
Flash loans are highly flexible and efficient, making them a popular tool in the DeFi space. Some of their most common applications include:
Arbitrage involves taking advantage of price differences for the same asset across different platforms. Therefore, through the use of flash loans, traders can execute arbitrage trades without requiring upfront capital.
For example, suppose ETH is priced at $2,000 on Exchange A and $2,050 on Exchange B. A trader can use a flash loan to borrow 10 ETH from a lending protocol, buy ETH on Exchange A, sell it on Exchange B, and repay the loan, all within a single transaction. Lastly, the profit is the price difference multiplied by the quantity, minus transaction fees.
Flash loans are also common in liquidations, which occur when a borrower’s collateral falls below the required threshold in a lending protocol. Third-party liquidators earn compensation for handling loan liquidations when the collateralization ratio falls below the required threshold.
For example, if a user has borrowed 100 USDC against 1 ETH as collateral, and the price of ETH drops, their position may become undercollateralized. Furthermore, a third-party liquidator can use a flash loan to repay the 100 USDC on their behalf, seize their ETH collateral, and repay the flash loan, keeping the difference as profit.
While flash loans offer numerous benefits, they also introduce risks, particularly price oracle attacks. A price oracle sends asset data protocol and allows it to keep track of the overall health of the platform. Flash loan attacks can exploit vulnerabilities in these price feeds.
In a price oracle attack, the attacker uses a flash loan to manipulate the price of an asset temporarily. By artificially inflating or deflating its value, the hacker can exploit the protocol for profit. For example, they may overvalue their collateral to withdraw more funds than they are entitled to or undervalue an asset to buy it on the cheap.
Flash loan attacks are among the most high-profile security breaches in DeFi and they emphasize the risks associated with this new technology. Here are three notable examples from the past few years:
In March 2023, Euler Finance, a decentralized finance (DeFi) platform on Ethereum, fell victim to the largest flash loan attack in crypto history, resulting in the theft of $197 million. In addition, it revealed a flaw in Euler’s token mechanics involving eTokens, which represent collateral, and dTokens, used in debt tracking.
The attacker leveraged Euler’s “DonateToReserve” function, which mistakenly destroyed eTokens without affecting dTokens. Consequently, this created a discrepancy, misrepresenting borrowed assets as collateralized. Here’s how the attacker orchestrated the heist:
Surprisingly, the hacker, identifying as “Jacob,” returned all stolen funds shortly after the attack, citing regret. They repaid Euler in multiple transactions totaling 54,000 ETH and additional DAI, restoring the stolen assets.
Cream Finance is a cross-chain lending and borrowing platform. In October 2021, it faced a sophisticated flash loan attack that led to a loss of over $260 million, with the attacker profiting $130 million. As a result, the incident highlighted vulnerabilities in multi-protocol integrations and smart contract designs.
The attacker employed an elaborate strategy across multiple platforms to siphon funds:
Cream Finance responded swiftly with a compensation plan to mitigate user losses and strengthen its security measures. In addition, the company conducted audits and improved protocol defenses. Despite these efforts, the attack significantly dented Cream Finance’s reputation in the DeFi community.
In April 2022, Beanstalk, a decentralized stablecoin protocol, was exploited for $182 million in one of the most daring flash loan attacks. The attacker netted $80 million by exploiting governance tokens. Furthermore, this demonstrated the risks associated with control mechanisms in DeFi.
Beanstalk’s governance model allowed users to deposit assets into a “silo” to gain voting power. The attacker leveraged a vulnerability in its design to take control of the protocol:
The attack drained Beanstalk’s reserves and left the protocol in financial disarray. Lastly, this incident underscored the vulnerabilities in DeFi governance models and the need for better safeguards against malicious actors.
Flash loans are a groundbreaking innovation that could only exist in the world of DeFi. They offer unparalleled financial flexibility and enable advanced trading strategies without requiring upfront capital. However, as seen in the examples of flash loan attacks, they also pose risks that developers and users must address.
In conclusion, flash loans are just one example of the unique services available in blockchain. As DeFi continues to develop, we can expect even more innovations that push the boundaries of traditional finance.