📸 Flash Loan Attacks — Issue No. 85
/Earlier this month, the smart contract based lending protocol called Fulcrum, which is built on top of Ethereum by the team at bZx, was exploited on two separate occasions. In total, nearly $1 Million worth of ETH was taken. In both instances, the attacker (or attackers) leveraged so-called "flash loans" to manipulate markets and make off with Ether.
In the wake of these attacks, members of the Decentralized Finance community began wondering what other protocols might be at risk. The increased scrutiny lead to a fierce debate around the security of MakerDAO, which holds well over half a billion of collateral in its contracts as backing for the Dai stablecoin.
In this issue of Build Blockchain, we'll delve into what flash loans really are, how they work, and why they're useful for these sorts of exploits. We'll also touch on the underlying issue that flash loans have shone a light on: the challenge of governance for decentralized protocols.
How Flash Loans Work
To really understand what happened here, you have to get your head around how flash loans work, and to understand flash loans, you need to know a little bit about Ethereum transactions. I discussed flash loans in issue number 82 of this newsletter, but a bit of a deeper dive is in order. Link.On a blockchain like Bitcoin, a transaction represents a simple transfer of value. One or more input addresses contribute unspent Bitcoin, moving ownership of those coins to one or more output addresses. While a Bitcoin transaction can have rules around who can spend those coins, there are no intermediate steps in the process. Either the rules are satisfied, and the coins are transferred, or they're not, and they aren't.
As a smart contract platform, Ethereum works differently. Transactions on the Ethereum network call a smart contract functions, and each function can call other functions. These nested calls are called "internal transactions." At each step in the process, the code produces intermediate states. These states exist only as the transaction is being processed. The end state, once the code has finished executing, is the one that will actually be mined and finalized in the next block. But if an internal transaction ever fails, the entire transaction is reversed. None of the intermediate changes are included in the block.
A flash loan allows a contract to take control of tokens for one transaction. By paying a small fee, the contract caller receives the tokens, and is free to do anything they want with them in subsequent internal transactions. The only requirement, as encoded in the flash loan contract, is that the amount borrowed is returned by the end. If it's not, the transaction will fail, and all the changes wrought are automatically unwound. It's like it never happened.
When you really wrap your head around this, it's pretty mind bending. Flash loans are instantaneous loans that literally don't exist until they're paid back. This is perhaps the best example to date of the uncharted territory blockchain networks put us in. This strange new financial primitive simply can't exist in the world of traditional finance.
The Attacks
Flash loans have plenty of legitimate use cases, the most obvious of which is arbitrage of decentralized exchanges.Using a flash loan, you can buy assets on the lower priced exchange, sell on the higher one, pay pack the loan, and pocket the profit. All of this happens in a single transaction. The fee for the flash loan is minimal, and because the entire transaction reverts if the trade fails, there's very little risk. If the prices equalize before your transaction is processed, you won't even pay the fee, because the loan will never have happened.
These same properties make the loans ideal for attacks. If a malicious actor finds a way to leverage a large quantity of tokens to manipulate a smart contract for profit, they can do so with little cost and little risk. This is what happened in the attacks on Fulcrum.
A number of authors have covered the specifics of the two transactions which netted the attackers nearly $1 Million, so I won't delve too far into the details. At a high level, here's the gist of what went down.
The attacker took out a flash loan, and used the funds to manipulate the price of assets on decentralized exchanges. Because bZx was using data from these exchanges to drive trading and lending algorithms on Fulcrum, the attacker could trick the contracts into making bad trades or loans. Using the funds paid out by Fulcrum, the attacker then paid back the flash loans, and pocketed a hefty profit siphoned from the smart contracts via this manipulation. Link.
The Aftermath
After Fulcrum was attacked, and then attacked again only a few days later, a mild panic set in on the decentralized finance ecosystem. If that system was vulnerable— even after its creators thought they had fixed it— what other protocols might be targeted using flash loans next? In particular, many began to worry about MakerDAO, which is by far the largest and most important project in the DeFi space.The Maker system accepts Ether and other assets as collateral for loans paid in Dai, a decentralized stablecoin pegged to the US Dollar. Governance decisions in Maker are made by stake weighted votes from holders of the MKR token. Parameters like interest rates and collateral ratios are set via these votes. Perhaps you can see the issue?
An attacker could theoretically use a flash loan of MKR tokens to make a malicious change to the governance contracts. In the worst case, such an attacker could drain the collateral backing Dai, worth well over half a billion dollars. Luckily for everyone, there were not enough of the tokens available via lending protocols to execute such an attack. To resolve the issue, or at least mitigate it, MKR holders voted in a so-called governance delay. Future changes made via votes will need 24 hours to be applied. Link.
The Elephant In The Room: Decentralized Governance
In case it wasn't obvious, I'm absolutely fascinated with the technical details of these attacks. It's really interesting stuff. The truth is, though, that the biggest questions these attacks bring up aren't technical ones. Instead, these exploits get to the heart of what public blockchains are all about: what it means to be decentralized.Let's observe a simple fact; while flash loans dramatically lowered the risk and cost associated with the Fulcrum attacks, they weren't required to execute it. Anyone with a large balance of the assets— acquired either by purchases or non-flash loans— could have pulled it off. The same goes with the feared attack on MakerDAO. It was and is perfectly possible to carry it out without flash loans, it just requires a large sum of money.
It turns out all decentralized blockchain governance basically rests on this mechanism, right back to the base layer protocols themselves. With enough money, you can acquire the mining machines and energy needed to attack any Proof-of-Work coin, including Bitcoin and Ethereum. Proof-of-Stake is no different. With enough money, you can buy and stake the coins needed to disrupt the network.
There's just no way around this: if decentralization means anyone can participate, then it also means anyone can be malicious. Decentralized economic systems can only succeed by making the cost of being malicious prohibitively high, and the reward for being malicious unattractively low. Flash loans broke this balance for Fulcrum, and could have done so for Maker as well. This is scary, but it also could be a healthy step for the ecosystem. My hope is that flash loans force us to think more carefully about what we really mean by "decentralized governance," especially when it comes to on-chain protocols.