Flash Loans Aren’t the Problem, Centralized Price Oracles Are
Since the beginning of the year, the decentralized finance (DeFi) ecosystem has rapidly grown to more than $12 billion in total value locked. With this exponential growth, incentives have increased for malicious actors to manipulate and attack vulnerable DeFi protocols, often at the expense of regular users.
One of the more recent tools used within many DeFi attacks are flash loans – a new type of financial primitive that allows users to open uncollateralized loans with the sole stipulation that the loan be paid back within the same transaction or it reverts. This is a significant departure from traditional DeFi lending, which often requires a user to over-collateralize a loan upfront.
Adelyn Zhou is CMO of Chainlink Labs, where she leads marketing for Chainlink, the world’s most widely adopted decentralized oracle network.
The novelty of a flash loan is that it can temporarily make anyone in the world a very well-capitalized actor, with the potential to suddenly manipulate the market. In the recent string of attacks, we’ve seen malicious actors use flash loans to instantaneously borrow, swap, deposit and again borrow large numbers of tokens so they can artificially move a token’s price on a single exchange. This sequence is essentially the foot in the door, allowing the attacker to then exploit that exchange’s anomalous pricing.
When flash loans are used as part of a larger malicious scheme to manipulate a protocol and steal its funds, the phrase “flash loan attack” becomes the hot crypto term of the week. Media outlets and Twitter influencers alike focus on the workings of the flash loan, dissecting each step the malicious actor took to jump from token to token, protocol to protocol, all within one transaction.
But the phrase “flash loan attack” doesn’t capture the complete issue at hand. Flash loans do not create vulnerabilities within DeFi – they simply reveal vulnerabilities that already exist. “Flash loan attacks” are often just attacks on oracles, the entities that connect on-chain DeFi applications with off-chain data, such as the fair market price of a certain asset. The real systemic risk in the DeFi ecosystem is around centralized oracles, not flash loans.
For those on the sidelines watching an attack unfold, there’s something fascinating about flash loans. The idea that anyone can suddenly control huge amounts of money and deploy it in novel, exotic and, yes, sometimes even malicious ways showcases how this technology can empower the individual and unlock entirely new financial instruments. Rather than analyzing the ultimate function and target of the flash loan, we instead marvel at the ingenuity of its creator and the sophistication of the attack. As a result, flash loans are increasingly characterized as a dangerous DeFi innovation.
As Marc Zeller of Aave, a DeFi protocol that offers flash loans, succinctly points out, flash loans are just a tool: “They allow you to act like a whale for the duration of a transaction.” Any attack executed via a flash loan can also be executed without a flash loan by a well-capitalized actor. All a flash loan does is temporarily make anyone in the world a well-capitalized actor because obtaining a flash loan is permissionless and has no upfront collateral requirements.
Sure, open access to such funds greatly increases the number of people who can carry out such an attack. But even in a world without flash loans, increased adoption of blockchain technology will only continue to provide faster access to larger amounts of liquidity.
Focus on what’s wrong
We need to pay attention to what these malicious actors are actually doing with their newfound funds. A pattern has clearly emerged: Malicious parties use flash loans to exploit DeFi protocols that depend on a single decentralized exchange (DEX) as the protocol’s sole price oracle. They use the flash loan to manipulate and skew the price of one or multiple assets on the DEX, leading to inaccurate price data being fed to DeFi applications using that DEX-based price oracle.
The malicious actor then exploits the opportunity and generates a profit at the direct expense of regular users. In obsessing over the specific tool used during the exploit, our industry is overlooking the real lesson from these attacks: DeFi protocols relying on price oracles that fetch data from just a single trading venue can be compromised by actors with large amounts of money.
These are oracle attacks, with attack vectors that have not only been predicted, but also have already happened before. The focus on flash loans distracts us from a bigger issue that DeFi protocols with hundreds of millions and sometimes upward of $1 billion TVL still rely on single exchanges for their price feed oracle. As we’ve seen, a single exchange can be subjected to a wide variety of volume shifts and whale manipulation. The consequences for another protocol that relies on a centralized price feed are clear.
Today, numerous top DeFi dApps by TVL use decentralized networks of oracles that account for volume and liquidity differences across multiple exchanges asynchronously and across multiple different transactions, making them impervious to flash loan-funded manipulation. As more users are attracted to the financial accessibility and opportunity of this ecosystem, and as DeFi protocols absorb more value from global markets, it is incumbent upon the maintainers of these protocols to adopt decentralized oracle solutions that protect users from what are, by now, well-understood, preventable attacks.
So the next time you hear the phrase “flash loan attack,” think twice. The flash loan was likely used to target a specific vulnerability in the system: a price oracle without market coverage. The oracle is supposed to be a protocol’s definitive source of truth – about the price of an asset, about the state of a market. As we’ve seen, whoever can manipulate that source stands to gain tremendously. The truth behind flash loan attacks: They’re funded by flash loans, but they’re price oracle attacks.