Quick loans or “Flash Loans”, increasingly popular in the decentralized finance (DeFi) ecosystem, are attracting both investors and cybercriminals, according to a warning ESET. This new model of unsecured loans It has experienced remarkable growth, largely thanks to DeFi protocols that allow users to obtain funds, use them and return them in the same operation.
“Although with a loan of these characteristics it would not be possible to access the purchase of a car or other goods, they are widely used to carry out different activities in the crypto ecosystem, such as swapping collateral, arbitration trading, saving transaction fees and refinancing of debt, among others”, says Mario Micucci, ESET Latin America Information Security Researcher.
How do flash loans work?
The operation of Flash Loans is possible thanks to blockchain technology, which allows programming a single instant transaction in which the borrowed funds are mobilized, exchanged and, finally, returned together with the corresponding commissions. The user withdraws with his earnings, while the movements are registered in the same block of the blockchain, thus allowing liquidity to be maintained in his protocol.
However, this financial innovation has also opened the door to new risks. Attackers can abuse the security of smart contracts to request unsecured funds, manipulate the price of a crypto asset, and quickly resell it. According to ESET data, from 2020 to date some 125 exploits have been registered, which have caused losses of approximately 3.9 billion dollars.
The most common flaws in smart contract programming are exploited in these attacks, manipulating the market by borrowing assets from multiple lending platforms and exploiting specific protocols and tokens. Often, attackers manipulate the shortcomings of a contract to their advantage.
Micucci adds that “the vulnerabilities are not in the Flash Loans themselves, but in their immature implementation.” Some of the most significant attacks have been on Cream Finance, with a loss of $130 million, the Alpha Homora protocol, with a loss of $37 million, and PancakeBunny, where nearly $3 million was stolen. The largest attack to date occurred in August 2021 when attackers stole $611 million from the Poly Network.
To minimize these risks, ESET recommends focusing efforts on the structure of decentralized price oracles and the implementation of security platforms for DeFi. Tools like OpenZeppelin and Defender Sentinels are some of the resources available to improve the security of smart contracts.
“Attacks that seek to take advantage of quick loans in the decentralized finance (DeFi) ecosystem are complex. They can be difficult to understand, as they require knowledge of how crypto-finance flows and their associated technologies work. While DeFi is still in its infancy, the ecosystem continues to mature and is becoming the focus of many users. Although the sector is still operating without a proper testing framework and this will cause future problems, it is also a fact that flash loans are a very recent addition to the DeFi ecosystem and represent a revolution of opportunities.”, concludes Micucci.
Listen Dale Play on Spotify. Follow the program every Monday on our available audio platforms.