DeFi flash loans are fast becoming a whole different breed of scams that are actively developing within the DeFi space. And while this method of cryptocurrency fraud is in its infancy, we can conveniently say that further improvements on this technique are impossible to exactly quantify. The reason, therefore, that we at Lossless, are bringing this to your notice at this time, is while we continually work hard to invent tools to mitigate the risk of frauds and scams, we want you to stay educated on how scammers are also improving their methods.
What Is A DeFi Flash Loan?
A DeFi flash loan is an unsecured loan, which allows you to borrow any amount of asset from a designated smart contract pool. It is a type that makes use of smart contracts to facilitate instant crypto loans that require no collateral but usually proceed under certain conditions. And unless these conditions are met, funds may not change hands.
Although the steps involved to successfully procure a flash loan are particularly strict, the name itself is self-explanatory. The idea of flash loans became a thing in late 2019, and early on in 2020, platforms like dYdX and AAVE had incorporated the service.
Flash Loans Use Cases
1. Arbitrage Trading: By “flash”, it is instant, and being a “loan”, it has to be repaid. Just like the conventional loan types, there is always a borrower and a lender. These two agree to make a monetary transaction, a process that, under normal circumstances, aims to benefit both parties. There are a couple of reasons why a flash loan may be needed, and these will be explained shortly.
A DeFi flash loan is quite different from the regular crypto loans that we are used to. A flash loan may be procured without presenting any collateral. It is instant, both lending and repayment occur within a single block and use smart contracts. The use of smart contracts ensures that the loan is repaid back instantly, usually before the Flashloan transaction ends. It sounds quite technical, and of course, it is, which is why the process is synonymous with traders looking to profit from short market modulations and arbitrage opportunities.
For instance, in Crypto Potato’s publication of August 3, 2020, a trader, applying the flash loan technique, had made over $16,000 in a few seconds without investing anything or presenting any collateral.
First, the trader borrowed 2,048,000 USDCT using dYdX’s flash loan. Remember, because it’s a flash loan, he didn’t have to present any collateral as long as he repaid the amount within the same block.
He then swapped the borrowed USDCT for 2,028,367 DAI on Curve y pool. After that, he swapped the DAI for 2,064,182 USDC on Curve’s SUSD pool, and lastly, he paid back the 2,048,000 USDC to dYdX, all within the same block.
The above real-life example explains arbitration as a major use case for flash loans. And while a 1% difference might not seem like a lot, when one is able to borrow high amounts and arbitrage this difference, the profits can be substantial.
2. Self-liquidation: this is another important use case of flash loans. In this case, a trader who already has a borrowed asset on the compound with its collateral facing liquidation may procure a flash loan in order to force stop losses before the smart contracts activate a collateral liquidation and still charge the liquidation fees. Traders have used this method to save themselves the remains of a falling collateral asset.
3. Collateral Swap: when traders borrow assets and wish to swap their collateral, they do so by taking a flash loan to first pay back the loan taken, and withdraw the collateral they wish to swap. They swap the collateral for the desired asset and supply the asset as collateral on the compound. They borrow the initially borrowed asset again, this time, with different collateral. Lastly, they repay flash loans with the newly borrowed assets.
While the above use cases of flash loans were popular in their early days, scammers have found multiple other ways to exploit the innovation.
Wash Trading: This is an important flash loan use case in a negative light. According to the Market Surveillance report of September 2019, about 70 percent of the top 100 crypto exchanges were wash-trading around 90 percent of their volumes. This is particularly made possible as most centralized exchanges can make volumes out of thin air, even without real assets, although their decentralized counterparts hold no such power. In order to make things quite easy, traders on DEXes usually use flash loans to borrow large amounts in order to temporarily manipulate the volume of an asset. As many become aware of the corresponding price change, they are encouraged to hop in for a possible ride. Within this short period of aggressive buying by other traders, the perpetrator pulls out and makes a return from the positive difference acquired.
For example, a report by Hacking Distributed, a hack surveillance website, made an example of this case. A flash loan transaction executed on the 15th of February 2020, followed by 74 transactions, had yielded a profit of 1'193.69 ETH (350k USD) with a minimal transaction fee of around 132 USD. The basics of this transaction involve a margin trade on a DEX (bZx) to increase the price of wBTC/ETH pair on an entirely different DEX, Uniswap. This created an arbitrage opportunity. The trader then went ahead to borrow wBTC using ETH as collateral (on Compound), and then purchased ETH at a “cheaper” price on the manipulated Uniswap market. To maximize the profit, the trader then transacted the “cheap” ETH to purchase wBTC at a non-manipulated market price over a 2-day period after the flash loan. The trader then returns wBTC to redeem the ETH collateral.
The trader described above made some easy profit but many other traders who got caught along the line wouldn’t smile as much. The fact is, very experienced scammers have learned the whole process of “pump and arbitrage”, which employs flash loans as a totally free tool. When prices are manipulated and pumped using flash loans, they usually come back below their natural prices after the whole process. The money flow accompanying the process is usually provided by hundreds of unfortunate market watchers who decide to hop in for a trade at the same time. It may be difficult to distinguish which volumes are normal and which ones are washed, but it is not impossible to spot a flash loan scam. Many of them follow a sequence as described below:
- Borrowing: the scammer borrows a large amount in a particular asset;
- Swapping: the borrowed assets are swapped against another top cryptocurrency;
- Pumping: swapping an asset in millions offsets the volume aggregation which possibly creates an arbitrage opportunity;
- Dumping: the swapped asset is rebought in millions at a lower price. Depending on the amount involved, the price may drop moderately or significantly;
- Loan repayment: the scammer repays their debt to the original loan issuer and makes way with the profit.
Some Popular Flash Loan Scams
ApeRocket Flashloan Attack: this is the most recent flash loan scam within the DeFi space. It happened in July 2021 on ApeRocket’s BSC platform and Polygon fork, resulting in around $1.2 million dollars in losses to users. The scam was a combination of efforts that occurred on AAVE and PancakeSwap.
The hackers in this case borrowed a huge amount in AAVE and CAKE and kept almost all the funds in the protocol’s vault. According to information available on ApeRocket’s medium page, these deposits instigated the smart contracts to create a large amount of CAKE that were generated in rewards. The hacker repaid his loan and dumped his generated rewards, crashing the price by around 65%.
PancakeBunny Flashloan Attack: in the PancakeBunny Flashloan situation, the scam had caused its token to plunge by around 95%.
The attacker first borrowed a large amount in BNB through PancakeSwap. He then used it to offset the price of USDT/BNB and BUNNY/BNB in PancakeBunny’s pools. This allowed the hacker to steal a large amount of BUNNY. They dumped on the market, thereby causing a price crash. The hacker then paid back the debt via PancakeSwap, making way with around $3 million eventually.
Conclusion
With a significant rise in frauds relating to flash loans recently, we are working endlessly to invent tools useful to mitigate different types of hacks. It’s a must that we evolve rapidly and we very well understand that. Our hack mitigation tools and our Protocol are carefully designed to function optimally in the times that many DeFi protocols are failing in security. For instance, our vault security tool is specially designed to limit transactions to unintended wallets in a number of ways mentioned in our recent articles.
Our intent also is for our community to educate themselves with this kind of publication in order to protect themselves while we continue to find ways to make the DeFi space a safer place for us all. Stay safe.
About Lossless
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from our known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Our protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Our solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.
Twitter | Telegram | Website | Whitepaper
