{"id":8405,"date":"2022-09-28T07:55:25","date_gmt":"2022-09-28T07:55:25","guid":{"rendered":"https:\/\/mdr.foobrdigital.com\/?p=8405"},"modified":"2022-09-28T07:55:25","modified_gmt":"2022-09-28T07:55:25","slug":"how-flash-loan-attacks-work","status":"publish","type":"post","link":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/2022\/09\/28\/how-flash-loan-attacks-work\/","title":{"rendered":"How Flash Loan Attacks Work"},"content":{"rendered":"\n<p>One of the weaknesses of the current DEFI model is the difficulty of applications built on Smart Contracts getting data from the outside world, most importantly price data.&nbsp;<\/p>\n\n\n\n<p>Any application that offers token swaps, for example, needs to know the current exchange rate, so will reference\u00a0an Oracle, a service that feeds this data, via API, into Smart Contracts.<\/p>\n\n\n\n<p>This arrangement presents a huge opportunity for anyone with the right combination of Solidity programming and Trading smarts. Here\u2019s an example:<\/p>\n\n\n\n<ul><li>Get a Flash Loan of 10,000 ETH<\/li><li>Use the ETH to buy a large amount of wBTC (wrapped Bitcoin)<\/li><li>Use the remainder of the ETH to short ETH\/wBTC<\/li><li>Use your wBTC to take out a large ETH loan &amp; cause price slippage in ETH\/wBTC<\/li><li>Return the wBTC generating more ETH than was originally provided because of slippage on the ETH\/wBTC pair<\/li><li>Close out the Flash Loan paying the fee and pocket the additional ETH gained<\/li><\/ul>\n\n\n\n<p>This all happens instantaneously, giving none of the points along the chain any chance to react. Given that the attacker is simply manipulating the price of ETH\/wBTC some people argue that what they are doing isn\u2019t necessarily illegal or even immoral; remember that code is law.<\/p>\n\n\n\n<p>Flash Loans present one of the greatest tests of that mantra; the alternative of greater oversight or regulation is seen as too great a compromise, so the only other options are:<\/p>\n\n\n\n<ul><li>Smart Contract audits &#8211; which help, but don\u2019t guarantee safety<\/li><li>Incentivising white hat hackers to expose Smart Contract flaws through bug bounties<\/li><li>Building out Insurance products specifically for DEFI&nbsp;<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>$2.3 billion<\/strong>\nAccording to Chainalysis $2.3 billion was stolen from \nDEFI applications in 2021, with 50% of that down to \ncode exploits and Flash Loans. Cream Finance was \nexploited on three separate occasions via Flash \nLoans within an eight-month period with losses \napproaching $190 million.\u00a0<\/code><\/pre>\n\n\n\n<p>Some of these Flash Loan exploits might be put down to the speed at which DEFI has been evolving, but given the scale of losses, it seems likely that the \u2018growing pain\u2019 argument won\u2019t wash with regulators who may feel mandated to step in to protect investors.<\/p>\n\n\n\n<p>The validity of Flash Loans is just one component of the broader debate about the benefits of crypto. You can argue that they are helping iron out market inefficiencies, which indirectly benefits all users. On the flip side, many see Flash Loans as just an extension of the dark arts of shadow banking and derivatives trading within traditional finance, which generate little practical value and illustrate how disconnected the gamified nature of DEFI is from reality.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the weaknesses of the current DEFI model is the difficulty of applications built on Smart Contracts getting data from the outside world, most importantly price data.&nbsp; Any application that offers token swaps, for example, needs to know the current exchange rate, so will reference\u00a0an Oracle, a service that feeds this data, via API, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[317],"tags":[],"_links":{"self":[{"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/posts\/8405"}],"collection":[{"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/comments?post=8405"}],"version-history":[{"count":0,"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/posts\/8405\/revisions"}],"wp:attachment":[{"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/media?parent=8405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/categories?post=8405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mudassirbackup.infinitycodestudio.com\/index.php\/wp-json\/wp\/v2\/tags?post=8405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}