People who use flash credit attacks use the smart contract, which is publicly available, to generate revenue for them. Does that mean that the people who do this are following the written law? So it should be legal, right? Although the idea is excellent and works well, unfortunately, there are those who take advantage of this form of loan. Read on to learn more about flash credit attacks and how to prevent them. To take advantage of constraint optimization, we first model various components that can perform a DeFi attack. We quantitatively formalize each endpoint provided by DeFi platforms as a state transition function S`=T(S,p) with constraints C(S; p), where S is the given state, p is the parameters chosen by the opponent and S is the output state. For example, the state can represent the contradictory balance or any internal state of the DeFi platform, while the constraints imposed by the execution requirements of the Ethereum virtual machine (e.g., a company`s ether balance should never be a negative number) or the rules set by the particular DeFi platform (e.g., a flash loan must be repaid before the transaction is completed plus credit charges). Note that when quantifying profits, we ignore interest payments/loan fees and Ethereum transaction fees, which are negligible in current DeFi attacks. Constraints are applied to input parameters and output states to ensure that the optimizer (for the model) returns valid parameters. We refer to the document for full details. A new form of “making money” has emerged in recent years, the flash credit attack. In very rough terms, a loan of one cryptocurrency is contracted, the cryptocurrency is used in a currency exchange service that changes the relative value of the two cryptocurrencies, the profit from this change is made, and the loan is repaid as part of the same transaction.
More details about such an attack can be found here, along with this graphic summary: Visit Winston & Strawn`s Play Book blog for more information on flash lending. Although DeFi flash loans have gained popularity and liquidity, they are far from perfect. There are two main units in a flash loan: the lender and the borrower. At the same time, the attacker used the second part of the loan on the compounded platform to get a WBTC flash loan. When Uniswap`s price skyrocketed, the attacker quickly made the trade – and a significant illegal profit. Then they used the 2,028,367 DAI to buy $2,064,182 in Curve`s SUSD pool, after which they repaid the flash loan and kept the difference of $16,182. The guarantee usually applies to large sums of money and helps the lender offset its losses by selling the assets if the borrower is unable to repay the loan. Personally, I think the use of flash loans for smart arbitrage is also legal, but I can see some argue that the actions could be described as abuses.
The core of this trading involves margin trading on one DEX (bZx) to increase the price of WBTC/ETH on another DEX (Uniswap), thus creating an arbitrage opportunity. The trader then borrows WBTC with ETH as collateral (on compound), and then buys ETH at a “cheaper” price on the distorted DEX market (Uniswap). To maximize profit, the adversary then converts the “cheap” ETH into WBTC at an unmanipulated market price over a two-day period after the flash credit. The opponent then returns WBTC (to compound) to buy back the ETH guarantee. The following figure shows that this trade consists mainly of two parts. For simplicity, we do not convert between WETH (the ERC20 exchangeable version of ETH) and ETH. Full details are described in the document. While wash trading on centralized exchanges can be done at little or no cost and perhaps even without real assets, wash trading on DEX requires wash traders to hold and use assets. Flash loans can remove this “hurdle” to reduce the cost of loan interest, trading fees, and transaction (blockchain) fees. For example, a wash trading attempt to increase Uniswap`s 24-hour ETH / DAI market volume by 50% would cost around $1,298 (with a flash loan from dYdX).
When it comes to flash lending, the biggest risks currently plaguing the DeFi ecosystem are data leaks as well as smart contract bugs that enable these attacks. Once the operations are completed, the user returns the assets with or without the borrowed assets from the flash loan providers. In February 2021, a hack of the Alpha Homora protocol resulted in a loss of $37 million. The flash loan attacker also used C.R.E.A.M. Finance`s iron bank through a series of flash loans. The Iron Bank is the credit arm of the Alpha Homora protocol. To measure flash credit usage, between January 8, 2020 and February 26, 2020, we collected flash credit data using a full archive Ethereum node that collects all event logs from the Aave smart contract. Note that Aave was only put online at the beginning of January 2020. We observe a total of 105 loans, and most flash credits interact with credit/trade DeFi systems (e.g. Compound, Dai, MakerDAI, Uniswap). The transaction cost of flash credit (i.e. gas) appears to be significant (sometimes beyond 4M gas, compared to 21k gas for regular ether transfer).
Full details can be found in Figure 5 of the accompanying document. With flash loans, a trader can trade on different DEX without having to hold a currency position or be exposed to volatility risks. The trader can simply open a loan, make arbitrage transactions and repay the loan plus interest. One could argue that flash loans make arbitrage risk-free, but the risks of smart contract vulnerabilities remain. Alternatively, you can also use smart contracts to run flash loans on platforms such as Aave, dYdX, and Uniswap. Here`s how this attack is carried out with a flash loan: It`s commonly referred to as an exploit, attack, hack, or theft, but is it illegal? Flash loans are intentionally created features, and taking advantage of changes in the relative value of assets is a common feature of financial markets. Are there any laws broken during these attacks? Below, we observe two contradictory flash lending transactions, a pumping and arbitrage attack and an oracle manipulation attack. It depends on how many people agree with you. If a lot of people disagree, it`s illegal and they`re splitting a new channel.
On the other hand, the borrower can only make a profit. You can use the borrowed funds to profit from arbitrage in the crypto market. If the transaction fails, the money simply returns to the lender. But realistically, it`s a useful tool for market corrections. The problem is (was), i.e. the combination of Flashloans + Bots + SRM, every component of this combination is actually useful. The term flash loan describes when a borrower takes out a loan without the need for collateral. You may be wondering: How is this possible? With a platform`s smart contract, the entire credit and return process takes place within a single transaction on the blockchain. The first challenge is that the developer is unable to cover all possible weaknesses because blockchain technology is relatively new. Another problem is that the systems are developed quickly and there is a lot of money in each of these projects. There is a lot at stake, and many developers try different methods to find bugs in the system. Some flash credit attackers use incorrect calculations of cash pools.
Still others are miner attacks or coding errors. If the user is unable to repay the loan before the transaction is complete, a smart contract cancels the transaction and returns the money to the lender. This means that the borrower must act quickly and repay the loan in a short period of time. If the lender defaults in any way, the entire transaction will be cancelled as if nothing had happened. In other words, if the value of the collateral can no longer cover the debt, the platform sells the collateral at a discounted price to repay part of the loan. This process is called liquidation. If you don`t pay your flash loan, the lender`s smart contract cancels the loan and returns the money to the user. For those most familiar with DeFi, flash loans seem to be the perfect alternative.
They do not require upfront collateral and anyone can create a loan without restrictions. In addition, it is the only loan that does not require personal identification. The most common loans in traditional financing are secured loans and unsecured loans. Late Wednesday, blockchain security provider Peckshield identified that a flash credit attack was underway against lending platform DeFi Cream Finance, with attackers attempting to steal tokens from liquidity provider Cream.