Flash loan attacks have become a notable security concern in the DeFi (decentralized finance) space. These attacks exploit the unique characteristics of flash loans, which are uncollateralized loans that must be borrowed and repaid within a single transaction.
Flash loans allow users to borrow large sums of cryptocurrency without providing any collateral, as long as the loan is repaid within the same blockchain transaction. This capability, initially introduced by the Aave protocol, is leveraged for various legitimate purposes such as arbitrage, collateral swapping, and liquidity provision. However, the feature’s inherent properties also open the door for malicious exploitation.
In a typical flash loan attack, the attacker borrows a large amount of cryptocurrency through a flash loan and uses it to manipulate the market or exploit vulnerabilities in smart contracts. The key steps involved are:
1.Borrowing the Loan: The attacker takes out a flash loan from a DeFi protocol.
2.Executing the Exploit: Using the borrowed funds, the attacker performs a series of operations to exploit
vulnerabilities in other DeFi protocols. This could involve manipulating the price of an asset on a decentralized exchange (DEX), exploiting flaws in smart contract logic, or taking advantage of poorly designed economic mechanisms.
3.Repaying the Loan: After the exploit, the attacker repays the flash loan within the same transaction, pocketing the profits made from the exploit.
UwU Lend suffered two serious attacks, resulting in a total loss of approximately US$23 million to the project. The first attack occurred on June 10. The attacker used a large amount of funds borrow from flash loans to manipulate the price of USDe and lost approximately US$19.3 million. After the attack, UwU Lend quickly suspended the agreement andInterest rates for borrow and deposit are set to 0% to ensure that users’ positions are not affected by the pause; The second attack followed on June 13. The attacker used the 60 million uSUSDE obtained in the first attack as collateral to lend assets and lost approximately US$3.7 million.
The root case of this is using flashloan and oracle source to manipulate orlace price, if we dive into attrack trace, we can notice that the price difference in borrow and liquidation.
In fact, all flash loan attacks involve borrowing a large amount of funds through a flash loan. The flash loan itself is not the problem. This recent Prisma attack is similar. The root cause is the lack of input validation, allowing attackers to borrow funds via flash loans to exploit logical vulnerabilities for profit.
Attacker using flashloan and invalid input validation, close trove first and open new one to migrate, attacker will get all closed trove funds.
Root case is business logic error , attacker use flashloan to maximize the profit of this attack.
root case is allowance don’t cancel after campaign canceled.
1.Smart Contract Audits: Regular audits by security experts can help identify and fix vulnerabilities in smart contracts before they can be exploited.
2.Oracles: Using decentralized oracles can provide more reliable and tamper-resistant price feeds, reducing the risk of price manipulation.
3.Limits on Flash Loans: Implementing restrictions on the maximum amount that can be borrowed in a flash loan can mitigate the impact of potential attacks.
4.Multi-Sig and Timelocks: Incorporating multi-signature mechanisms and timelocks in critical functions can provide additional security layers, ensuring that changes cannot be executed instantly without oversight.
Flash loan attacks exploit the fundamental characteristics of flash loans, allowing attackers to manipulate DeFi protocols and profit from vulnerabilities. As the DeFi ecosystem continues to grow, it is crucial for developers and users to understand these risks and implement robust security measures to protect against such attacks.
We focus on cyber Security and Threat Detection and Response, and provide industry-leading Cyber Security Solutions, which can completely cover all cyber security requirements of all kinds application scenarios.