Lightning loans are a relatively new type of unsecured loan in the world of decentralized finance. Originally pioneered by Aave in early 2020, it has since grown in popularity and is available in a number of lending agreements.
Many crypto industry experts have become sincere advocates of lightning loans because they offer innovative ways to arbitrage, execute fast transactions, and provide many other novel features previously unavailable in traditional finance.
Most of us are familiar with traditional loans, in which a lender lends money to a borrower and then repays it over a fixed period of time at a fixed premium or interest in addition to the principal. A flash loan has the same basic principles, but includes several unique features.
It is an unsecured loan, which means that the borrower does not need to use any assets or deposits to obtain the loan. In addition, unlike traditional unsecured loans, there is no credit check process.
All flash loans are done through smart contracts on the blockchain and provide that if the borrower does not return the funds in a single blockchain transaction, the loan process will be reversed as if it never happened. This key difference is why borrowers are able to get a fast loan without any collateral or credit check, as it removes any risk to the lender.
The lending process is instantaneous, so once the loan is extended, the borrower must invoke other smart contracts to use the flash loan to try to execute a nearly instantaneous transaction and then return the funds before the single block of transactions is closed, usually within a few seconds.
Given that lenders have zero capital risk and borrowers have no collateral or credit check obligations, it’s no surprise that flash lending has grown so quickly across DeFi since last year.
Let’s look at a few flash lending use cases. In the first case, suppose a user borrows a DAI, using ETH holdings as collateral. If the price of ETH starts to fall, the value of the collateral will drop and the user will face the threat of the loan being liquidated at some point.
To resolve this situation, users can take advantage of flash lending. With this flash loan feature, borrowers can exchange fluctuating ETH for stable coins. The value of the collateral immediately becomes stable, thus eliminating any scope for liquidation.
While this use case falls under the collateral exchange category, you can also use flash lending to swap out your debt. Consider the previous example where you borrowed funds in a DAI.
If the demand for the DAI loan suddenly increases, the interest rate on the DAI will increase more than the rate you had to pay before. To avoid paying more interest, you can protect your invested capital by swapping the DAI for any other currency in which you are borrowing less.
Flash loan attacks
In principle, flash loans allow users to borrow as much as they want without any collateral. As a result, borrowers can lend thousands or even hundreds of thousands of dollars worth of ethereum as a loan without any collateral or KYC process.
This has led to the rise of flash lending attacks, in which malicious agents take out large flash loans and then use these funds to manipulate the market and exploit various DeFi protocols for substantial profits, often at the expense of regular investors and platform users.
These attackers string together the amount of flash loans borrowed through a series of vulnerable on-chain protocols to gain access to hundreds of thousands of dollars in stolen assets before the loans are repaid.
Multiple flash loan attacks have occurred in the past year, and the frequency of these attacks appears to be increasing.
We will look at some of them in detail to better understand the phenomenon.
Example of a flash loan attack
The first flash loan attack occurred in 2020, when borrowers used the DeFi lending protocol dYdX to obtain an ETH flash loan. They then split the loan into two parts and sent them to the lending platforms Compound and Fulcrum.
On Fulcrum, some of the flash loans were used to short ETH against WBTC, and Fulcrum went on to acquire WBTC from the popular decentralized exchange Uniswap through another DeFi protocol called Kyber.
As Uniswap’s WBTC liquidity was low, the asset price increased. As a result, Fulcrum paid a higher price than usual to acquire WBTC.
At the same time, the borrower obtained a WBTC loan from Compound and traded it on Uniswap, where the price of WBTC had risen.
By manipulating multiple agreements and artificially increasing the price of WBTC, the Borrower made a significant profit – not only repaying his ETH loan, but also earning excess ETH profits.
While the borrower made significant gains, Fulcrum was tricked into acquiring WBTC at a price well above the market price.
In a separate flash attack, the attackers again exploited and manipulated the bZX protocol that built Fulcrum. First, the borrower took a portion of his ETH loan and placed a large order for sUSD on Kyber.
Smart contracts recognize currencies and their prices, but they do not understand that stable currencies are pegged to the US dollar. The large order caused the price of sUSD to spike, soaring to $2 each, which ran counter to the basis of what stablecoins are supposed to be able to do.
As the purchasing power of sUSD doubled, the borrower used it to take out more ETH loans than he had previously borrowed. He then paid off the first ETH loan and ran off with the rest of the money.
In this case, the user tricked Kyber into believing that the sUSD pricing could be much higher than $1.
How can I prevent these flash loan attacks?
Since these attacks use DEX to believe that their own or single feed prices can manipulate this information by placing large orders for currencies, it is prudent to use decentralized pricing prophecy machines to determine the correct price of assets.
A dApp can protect itself from lightning loan attacks in a number of ways, some of the most common being
Decentralized prophecy machines – The safest option is undoubtedly to use decentralized prophecy machines that use multiple sources to find the “true price”. Some decentralized prophecy machines, such as our own Umbrella Network, go a step further and ensure the reliability of data by submitting it to the blockchain.
This means that if an unscrupulous person attempts a quick attack on a dapp that gets its feed from a decentralized prophecy machine, price manipulation will fail, the transaction time will pass, and the entire transaction will be reversed – unprocessed.
High-frequency pricing updates – a simple fix on paper, but potentially more expensive in practice. Here, we simply increase the frequency of the number of times the liquidity pool queries the prediction machine for new prices. The logic is that as the number of updates increases, the prices of the tokens in the pool will update faster and invalidate price manipulation.
Time-weighted average pricing – It is common practice to use the average (or most recent median) to calculate prices in a liquidity pool. However, TWAP recommends using an average price across multiple blocks.
This helps counteract flash attacks because the entire sequence of attacking transactions needs to be processed within the same block, but TWAP cannot be manipulated without manipulating the entire blockchain.
Another strategic recommendation to prevent such attacks is to use two transaction blocks in the transaction cycle instead of one.
As you can imagine, this would complicate the process and be a disincentive for attackers. However, it also carries the risk of causing damage to the DeFi UI.
Some protocols also integrate flash attack detection tools that help identify, respond quickly and neutralize in a timely manner. However, it is difficult to confirm the effectiveness of these tools unless there are not enough examples of avoided attacks.
DeFi is still an emerging field. It is undergoing many innovations and rapid fundamental shifts in the way it operates. Rapid change, even when innovative, often leads to ignoring extremely vulnerable groups.
Attackers will continue to explore the vulnerabilities that exist, but with each incident, prevention mechanisms will become more robust as the entire ecosystem evolves.
While there are ways to help mitigate risk, such as using decentralized prophecy machines, higher frequency pricing updates or TWAP strategies, it will take some time to combat it as the DeFi industry as a whole adopts more effective approaches and flash lending ceases to be a potential tool for exploitation.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/learn-about-lightning-loan-features-types-and-lightning-loan-attack-solutions-in-one-article/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.