The world of decentralized finance (DeFi) has become popular in recent years. Since the price of bitcoin skyrocketed in 2021, many users who didn’t know what cryptocurrencies were started investing. But like everything in the digital world, there are a number of scams that you need to watch out for in order not to fall into the trap: the “flash loans” or quick loans they can be very dangerous.
This type of flash credit offers funds to users without the need to provide collateral. However, a study released by ESET warned that since they operate on the blockchain network, they can lend themselves to scams.
The blockchain is an unalterable data structure that can be thought of as a public ledger, accessible to all, where all cryptocurrency transactions are recorded: this is why digital currencies operate in a decentralized manner, without an authority such as a central bank that regulates or legitimize them.
But it is precisely by virtue of this system through which “it is possible to program a transaction so that a user borrows the funds, mobilizes them through various smart contracts of other protocols, the relative exchange operations are carried out and at the end of that same transaction the loan money and related fees are reset to the initial protocol while the user retires with his earnings,” warn the cybersecurity company.
From 2020 to today, to give you an idea, a little 125 vulnerabilities used to abuse the decentralized finance ecosystem, which caused losses of approx $3.9 billion.
Here, the details of how the system works and what precautions to take to avoid being scammed.
What is a flash loan and how do the attacks work?
“When we talk about ‘flash loans’, we usually refer to something clearly related to the crypto world, since in traditional finance it would not be ‘flash’: the idea is that everything is automated via smart-contracts in DeFi [Finanzas Descentralizadas] and that is why it would be exclusive to the crypto environment,” explains a clarion Ignacio Carballo, economist, director of the Center for Alternative Finance at the UCA.
A flash loan is primarily a type of instant credit that it is part of a single transaction and that does not ask for a guarantee in return, as traditional loans usually do.
“The important thing is that both the loan and its repayment take place in a single transaction cycle in the block chain, i.e. within the same block. If the loan is not repaid in full, the entire transaction is rolled back and the user is not charged fees,” explains Alfonso Martel Seward, director of compliance at Lemon, a virtual wallet born in Argentina.
“The essence of Flash Loans lies in the atomicity of on-chain transactions. In this context, atomicity means that all operations occur simultaneously or not at all. If you can’t repay the loan at the end of the freeze, all trades are cancelled and the transaction is considered failed,” he continues.
A flash loan works as follows, reviewed:
- Request a loan of token A
- exchange [cambiás ]token A for token B
- Sell Token B at a higher price
- You buy token A again with the profits from the last trade
- Return token A and keep the profits
However, “it is essential to emphasize that flash loans they are not without risk. For example, price risk (if the value of assets fluctuates drastically within a block) and execution risk (if the network is too congested and the transaction is not included in the desired block),” Seward points out. .
But this structure also entails a potential security problemie that the mode is exploited: according to ESET, the main point is in the security abuse of the smart contracts of a platform.
In this sense, an attacker you can request funds that do not require collateral and subsequently manipulate the price of a crypto-asset on one exchange platform and sell it quickly on another”, they explain.
“These assets can be used to manipulate the market in a major operation: by using the decentralized exchange protocols (DEX) which function as the protocol’s only price oracle, the risks increase, as the attackers only need to get a flash loan in one token and exchange it for another in the DEX thus altering both prices: one goes up and the other goes down”, develops ESET.
“Then they go to their destination protocol and use the second token to borrow even more of the first token, being able to repay the loan and pocketing the difference to wait for the market to correct the manipulated price,” they conclude.
“Regarding vulnerabilities in flash loans, we can assume that these they are not lying in the Flash Loan itself, but in its immature implementation: All exploited vulnerabilities so far were in various protocols and Flash Loans only funded the attacks,” explains Mario Micucci, Computer Security Researcher at ESET Latin America.
“Let’s take a case where a flash loan is used for arbitrage and a large price movement is generated. Users who have executed buy or sell orders with high slippage [la diferencia entre el precio previsto de una operación y el precio al que se ejecuta] they can be affected by such manipulation,” warns Seward.
The expert details a scam with a specific case:
- I take token A
- I exchange token A for token B, causing the price of the first to fall and the price of the second to rise
- I use Token B as collateral to borrow Token A, receiving more Token A than I originally took out
- I return token A with the profits
- Meanwhile the price disparity and its movement cause the protocol to lose liquidity, losing integrity. This puts the entire protocol and thus user deposits at risk.
“This is the main disadvantage of these systems: taking credits to manipulate the price of a coin on one exchange, and then selling it on another to make up the difference. The main loser in these cases ends up being the protocol and all its participants,” completes Carballo.
How to avoid falling into the trap
“Lending is essential attention to protocol design. These are the ones that have been proven and that not only have cash flow, but also time in the market and a number of participants that provide some evidence of their resistance to hacking attempts,” warns Carballo.
In this sense, the use of open source protocols is no less important: “When it comes to open source protocols, auditors are often represented by their participants. While not linear, the general idea is that the more participants, the more “auditors”, then more security”, closes the digital finance expert and also a teacher.
“While the decentralized finance ecosystem uses cutting-edge technologies that are changing the outlook for international financial systems, they are also heavily loading the entire system. Today, there are specific platforms that address current security challenges, such as OpenZeppelin, where its role is to protect the entire ecosystem of smart contracts and DeFi platforms as a whole,” adds Micucci.
“Without a doubt, this type of lending is here to stay and has laid the foundation for new innovative applications in decentralized finance,” adds the ESET researcher.
In this sense, it is essential to understand the nature of smart contractsDiscover the liquidity of a protocol and above all its security: if that protocol has suffered attacks or had problems.
“Finally, a small clarification that could be useful to the general public: DYOR (‘Do your research’, do your research) is popular advice in the cryptocurrency community, which emphasizes the importance of thoroughly researching and understanding protocols and projects before investing in them,” concludes the Lemon manager.
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.