blockworks.co
Flash loan attacks are not common — but their consequences are dire.
Most recently, decentralized finance (DeFi) lending and borrowing protocol Euler Finance booked a $197 million loss in a flash loan attack.
The attacker exploited a vulnerable code, Euler Labs, the team behind the Euler Finance protocol, said in a tweet, tricking it into believing there were fewer collateral tokens than debt tokens.
“As a result, the attacker was able to liquidate these underwater accounts and profit from the liquidation bonuses,” the company tweeted.
Hugh Karb, the founder of Nexus Mutual, a smart contract insurance company, told Blockworks that flash loans themselves — where traders are able to borrow cryptocurrencies without any collateral and return assets within the same transaction — are not the problem.
“Flashloans sound sexy, but all flash loans do is allow a hacker to conduct the attack without having spare funds lying around,” Karb said. “The attack would have been exploitable without the use of flash loans.”
Blockworks Research analyst Ren Yu Kong said that, ultimately, a fundamental vulnerability exists within the smart contract for a flash loan attack to happen.
“Flash loan attacks are as preventable as any other attack vector, and at the day it still requires developers to go through various security audits and take into account flash loans as an attack vector when writing the code,” Kong said.
The real problem, though, according to Karb, is whether humans are capable of creating secure software free of defects.
“While that’s possible, it is quite difficult as even the most security-focused teams, such as NASA and teams within the aviation industry, struggle with this,” Karb said.
Even if DeFi security continues to improve, the possibility of failure is rather inevitable — at some point.
“DeFi cover providers have to be very careful with their risk selection and in their risk management practices, like setting exposure limits and adequately pricing risk. There are no shortcuts,” Karb said.
Jesse Pollack, Coinbase’s protocol lead, said in a tweet that in order to prevent further attacks, “better insurance primitives and coverage need to be a part of the solution.”
Existing DeFi insurance is underpriced, according to Kong — considering it’s often marketed as yield, though the costs associated with an insurance premium could potentially outweigh the downside protection it provides.
“That’s a combination of exploits in DeFi generally being all or nothing — if a protocol gets exploited, more often than not everything is gone — and a much higher percentage chance of an exploit occurring than insurance underwriters price,” Kong said.
Another solution, a Twitter user who goes by Duncan said, is bringing in more audits to cover soft exploits, adding that there are a “ton of different examples right now” along those lines.