How Crypto 'Flash Loans' Are Making (And Losing) People Millions

Crypto, at its best, is all about giving ordinary people more power—over their finances, over their data, and over their digital identity. 

But crypto, at its worst, doesn’t fully think through the consequences of letting anyone access that power. 

Nothing sums up this inherent contradiction better than flash loans, which let anyone borrow as much money as they want with no collateral. The catch? The loan must be paid back in the same blockchain transaction—within seconds. 

Flash loans are made possible through the decentralized finance (DeFi) ecosystem, where instead of banks and bankers handling your money, users are free to choose from a wide array of financial protocols that run autonomously on the blockchain. 

Put simply, gone are the days of bringing your proof of income statements and middle school report card to your loan application, only to be rejected. In DeFi, as the saying goes, “code is law,” meaning no human ever stands between you and your money.

Removing humans from the financial equation allows DeFi protocols to offer financial products that can be hard to wrap your head around. Like can anyone really borrow hundreds of millions of dollars, without human approval and collateral, as long as they pay it back a few seconds later with a .05% fee? 

Yes. Yes they can. 

Flash loans were designed to help ordinary people exploit the same arbitrage opportunities that were once the domain of well-capitalized hedge funds with billions in the bank. With arbitrage, if an asset is selling for less on one exchange than another, the obvious move is to buy low and sell high, but your profits are limited by the amount of capital you’re able to allocate to the trade. 

With flash loans, that limit is removed, allowing users to profit more from trades, protocols to profit more from fees, and exchanges to operate more efficiently. 

In fact, a crypto bot recently borrowed $200 million to make a profit of just three dollars. It’s wacky, sure, but it’s also a DeFi success story: that trader is $3 richer, the DeFi protocols make a few bucks in fees, and everyone walks away happy. 

But while flash loans were designed for above-the-board market arbitrage, they’ve also become the preferred tool for hackers looking to exploit vulnerabilities in the way DeFi protocols are designed. Hence: flash loan attacks. 

Euler Finance was drained for nearly $200 million following a successful flash loan attack. Beanstalk lost $181 million. Cream Finance lost $130 million. And the list (of both losses and terribly-named DeFi protocols) goes on and on. 

The technical details behind flash loan attacks usually differ. Some hackers use flash loans to buy up all the governance tokens of a DeFi protocol, appointing themselves the dictator and draining the protocol’s reserves. Others use market manipulation in order to trick the DeFi protocol into letting them take out a loan far greater than the value of their reserves.

But while some of these attacks are possible without flash loans, the access to mind-numbing amounts of capital through flash loans makes these attacks catastrophic. After all, most hackers don’t have access to tens of millions of dollars without help. 

So how can DeFi developers prevent flash loan attacks? An entire industry of smart contract auditors has sprung up alongside DeFi, but even they sometimes fail to catch vulnerabilities. In fact, the flawed smart contract that led to the Euler Finance hack had been audited by multiple firms. 

Many DeFi protocols also offer bug bounties, or rewards for hackers who disclose vulnerabilities. Those bug bounties have worked as healthy incentives for “white-hat hackers” to report vulnerabilities to projects rather than abuse them for their personal gain as “black-hat hackers” are wont to do.  But if a hacker has the choice between making, say, $100,000 worth of clean money and $100 million worth of dirty money, what’s stopping them from choosing the black hat?

A big-ass stick.

Take the case of Avaraham Eisenberg, who exploited the DeFi protocol Mango Markets to the tune of $117 million. Eisenberg self-funded his attack, but the market manipulation strategy he developed in order to drain Mango echoes many similar flash loan attacks. Eisenberg proclaims his innocence, once infamously describing the attack as a “highly profitable trading strategy.” 

Authorities disagreed, arresting him in Puerto Rico and charging him with several civil and criminal counts. 

It remains to be seen whether the threat of facing justice will help deter future attacks, but in a possible sign that the tide is turning, the Euler attacker ended up apologizing and returning 100% of the stolen funds – even declining to even keep a bug bounty that the Euler team had offered them.  

For more about flash loans and DeFi, including why the CEO of a crypto firm that had itself been hacked for $160 million feels that these attacks are just the “cost of doing business,” check out our latest episode above. 

To support our community-owned outlet, own it with us, and unlock exclusive benefits, mint one of our NFTs today!

Subscribe to Coinage on YouTube