Flash loans have become a primary attack vector for malicious actors looking to exploit DeFi protocols, and they are on the rise.
A flash loan is a crypto loan that is taken out and repaid within the same transaction. Under normal circumstances, the practice can carry out quick collateral swaps. It can also be used to conduct arbitrage trades and save on transaction fees. DeFi lending platform Aave pioneered and publicized this concept in 2020.
However, malicious actors have increasingly used this method to attack loopholes in some DeFi protocols.
In traditional finance, getting a loan requires an arduous amount of paperwork and proof of identity and income. But anyone can do it in DeFi. These loans are often uncollateralized. This means that the borrower does not have to risk any of their own assets.
Flash loans use smart contracts. They prevent funds from moving unless certain criteria are met. Furthermore, if the borrower doesn’t repay the loan before the transaction ends, the smart contract reverses it.
QuickSwap the latest victim
Flash loans have got a bad reputation over the past couple of years as they have been used to attack a number of DeFi protocols.
Polygon-based decentralized exchange (DEX) QuickSwap became the latest victim of this attack vector. The platform lost $220,000 in an exploit on Oct. 24. The DEX blamed a vulnerability in a Curve oracle that Market XYZ was using.
Additionally, the QiDao Protocol provided seed funds for the market. No QuickSwap user funds were reportedly compromised.
Additionally, 2021 was a big year for flash loan attacks. Exploiters stole hundreds of millions of dollars from several protocols. These included Cream Finance, Impossible Finance, Bogged Finance, PancakeBunny, bEarn, Spartan, and Yearn Finance.
Biggest flash loan exploits in 2022
DeFiYield’s Rekt Database lists exploits from 56 flash loans in total, with several million-dollar-plus hacks in 2022. These included Nirvana Finance, New Free DAO, Inverse Finance, DEUS Finance, Elephant Money, and OneRing. In the largest flash loan exploit so far this year, Beanstalk lost $181 million in April.
October (jokingly referred to as ‘Hacktober’) has been the highest month in history for hacking and crypto exploits, according to Chainalysis.
Money has also been stolen from DeFi platforms by means of economic design flaws. The most recent was the $116 million Mango Markets heist earlier this month that occurred when an attacker manipulated the token price using perpetual futures.