Since the beginning of this year, the Decentralized Finance (DeFi) ecosystem has rapidly grown to lock in a total value of more than $12 billion. With this exponential growth, the motivation of malicious actors to manipulate and attack the fragile DeFi protocol has increased, and this usually comes at the expense of ordinary users.
One of the tools used in many DeFi attacks recently is flash loans-this is a new type of financial primitive tool that allows users to open unsecured loans. The only requirement is that the loan must be repaid in the same block, otherwise Will be taken back. This is very different from traditional DeFi loans, which often require users to over-collateralize the loan in the early stage.
The novelty of flash loans is that it allows anyone in the world to temporarily become a very rich trader, with the potential to suddenly manipulate the market. In the recent series of attacks, we have seen malicious actors use flash loans to instantly borrow, exchange, deposit and re-borrow large amounts of tokens so that they can artificially manipulate the price of tokens in a DEX. This operation sequence itself is compliant, so it also allows attackers to use the DEX for abnormal pricing.
When flash loans are used as part of a malicious plan to manipulate protocols and steal funds, the term “lightning loan attack” will become a hot crypto term this week. The media organizations and the big Twitter followers are very concerned about the operation of lightning loans, analyzing each step of the malicious actors jumping from one Token to another Token and from one protocol to another in a transaction.
But the term “flash loan attack” did not capture the whole problem. Flash loans do not create loopholes within DeFi-they just reveal loopholes that already exist. “Lightning loan attacks” are often just attacks on Oracle, where Oracle is a middleware that connects DeFi applications on the chain with data off the chain, such as the fair market price of an asset. The real systemic risk in the DeFi ecosystem revolves around the centralized Oracle, not flash loans.
For bystanders watching the attack happen, flash loans have some fascinating things. Anyone can suddenly control huge amounts of money and configure them in novel and even malicious ways. This idea shows how this technology can empower individuals and unlock new financial tools. We did not analyze the ultimate function and goal of lightning loan, but marveled at the originality of its creator and the complexity of the attack. Therefore, lightning loans are increasingly being characterized as a dangerous DeFi innovation.
As Marc Zeller of DeFi protocol Aave put it, flash loans are just a tool: they allow you to act like a whale during the transaction. Any attack executed through flash loans can also be executed by well-funded holders without flash loans. What a flash loan can do is to make anyone in the world temporarily become a holder of sufficient capital, because obtaining a flash loan does not require any permits and no pre-collateral requirements.
Of course, publicly obtaining such funds greatly increases the number of people who can carry out such attacks. But even in a world without lightning loans, the use of more blockchain technology will continue to provide us with faster channels and opportunities for more liquidity.
Focus on the problem
We need to pay attention to what these malicious actors are doing with their newly acquired funds. An obvious pattern has emerged: malicious parties use flash loans to manipulate the DeFi protocol that relies on a single decentralized exchange (DEX) as the sole price of the Oracle. They used flash loans to manipulate and distort the price of one or more assets on the DEX, resulting in the use of the DEX-based price Oracle to provide inaccurate price data to DeFi applications.
Then, malicious attackers will take advantage of the opportunity to gain profits at the cost of directly harming the interests of ordinary users. While obsessed with the specific tools used in the exploitation process, our industry ignores the real lesson of these attacks: DeFi protocols that rely on price predictions to obtain data from a single trading venue can be disrupted by participants with large amounts of funds.
These are Oracle attacks, and their attack vectors have not only been predicted but also have occurred before. The focus on flash loans has distracted us from a larger issue, that the DeFi protocol with TVL of hundreds of millions and sometimes as high as 1 billion US dollars still relies on a single exchange’s price feedback Oracle. As we have seen, a single exchange may be subject to various volume changes and whale manipulation. For another agreement that relies on centralized price feedback, the consequences are obvious.
Today, many of TVL’s top DeFi dApps use a decentralized Oracle network to asynchronously calculate the transaction volume and liquidity differences of multiple exchanges in multiple different transactions, which makes them insensitive to the manipulation of flash loan funds . As more and more users are attracted by the financial convenience and opportunities of this ecosystem and DeFi protocols absorb more and more value from the global market, the maintainers of these protocols are responsible for adopting decentralized Oracle solutions To protect users from well-known and preventable attacks.
Therefore, next time you hear the term “flash loan attack”, please think twice. Lightning loans are likely to be used to target a specific vulnerability in the system: a price Oracle without market coverage. Oracle should be the authoritative source of truth for an agreement-about the price of assets, about the state of the market. As we have seen, whoever can manipulate this source can obtain huge benefits. The truth behind the flash loan attack: Their source of funds is flash loan, but they are price Oracle attacks.
