OpenZeppelin Blog

Flash Loans and the Advent of Episodic Finance - OpenZeppelin blog

Written by OpenZeppelin Security | March 2, 2020

 

Flash Loans have been making the rounds. Even if the concept has been around for a year or two, it’s only very recently that they have been getting a lot of attention with the surge of DeFi, and ultimately a few “exploits” seen in the wild, where $1M was totalled by the people behind them. Why the quotes around “exploits”? We’ll get there in a minute.

Flash Loans are a novel thing. They are not a “decentralized X”, with X some pre-blockchain idea. Not that decentralized is a minor feat: Digital payments existed before bitcoin, whose major innovation was precisely to remove the central authority. We later got  decentralized betting markets, decentralized streaming platforms, decentralized online marketplaces, and decentralized nonrecourse loans—only we call them “overcollateralized loans”. But Flash Loans are something else. Heck, they could even be centralized for that matter. They are enabled by the episodic nature of blockchains. I give you money, you do what you want with it, and you return it. Only if you don’t return it I hadn’t given you money at all. Like a Schrödinger loan.

This is huge—it’s innovation on top of innovation. It’s the definite seal, if you were still in doubt, that a revolution in finance is taking place. With Flash Loans, anybody can be a whale. Talk about leveling the playing field. This is what we strive for at OpenZeppelin: We are building technology to bring freedom to the world. Or, as one of us said, “This is what I signed up for.” 

Flash Loan “exploits”

New technologies come with newly associated risks, pitfalls, and all kinds of weirdness. As one of the leading firms in the blockchain security space, we usually get a first hand view into these innovations. We had the chance to closely inspect Flash Loans in our audit of the AAVE protocol earlier this year, and in research work by Austin Williams who introduced a safer way to implement them

More recently, two events were reported where someone made more than $350k U.S. dollars (first event) and $635k (second event, likely a different someone), with initial investments in the order of $10, for a more than 40x instant return. There was actually an earlier event where researchers reported being able to take $2.5M and illustrated it with a proof-of-concept. We won’t dwell much on the details of these events, as they have been thoroughly discussed already, but it is illuminating to understand the nature of the progression.

The original event (let’s call it the zeroth) was reported here and consisted of a security bug in the Fulcrum bZx project, whereby an attacker could run arbitrary code. The researchers showcased this in two transactions, where they called the approve method of a token to later enable a transfer of funds to an address under their control. Flash Loans played no special role here, only that the vulnerable code was part of the Fulcrum Flash Loan functionality. The bZx team responded by temporarily removing this functionality.

In the first event, Flash Loans took a more prominent role: They enabled the originator to manipulate the markets via slippage, that is, the dependence of price on demand made manifest when trading big volumes of an asset. Here, too, a bug in the code was present that enabled the attack. The bZx code was meant to check for slippage before letting the transaction through in the case of undercollateralized loans, but the loan in this event was incorrectly flagged as overcollateralized. This bug was much subtler than the previous one, and it required a much more delicate procedure to be exploited. 

The second event involved another Flash Loan and another market manipulation. This time, it relied on bypassing a price spread check bZx had put in place after researcher samczsun had reported a potential price manipulation attack. The trick here is yet subtler: The price spread check was in place for Uniswap-like price sources, that is, sources that compute prices on the spot based on asset volumes. The originator here was able to manipulate two sources simultaneously and managed to pass one as non-Uniswap-like, taking advantage of the indirection in the computation of prices by the different protocols involved (bZx asking Kyber, Kyber asking Uniswap). So what’s the bug here? Arguably, it’s the system’s reliance on dubious price sources. But it’s less of a code-level bug and more of a weird-things-can-happen-here type of thing. 

Future events

What’s next in this progression of ever subtler ways of taking advantage of Flash Loans to make profit? It’s strange that there might actually be a simple answer to this question: governance. Many protocols these days, to the extent that they are governed in a somewhat decentralized fashion 1, rely on the no-whales assumption (or more precisely, no-whales-other-than-us, the protocol creators). This concern was voiced before, in particular in the case of MakerDAO, where Micah Zoltu showed how to turn $20M into $340M by manipulating the system’s governance to take all funds in it. Well, now you can have those required $20M, thanks to a Flash Loan. 

So why hasn’t this happened yet? The reason is somewhat scary: There wasn’t enough MKR liquidity in the markets to actually borrow the necessary amount. Luckily, MakerDAO reacted in time and has just issued a vote whereby a 24h delay was put in place for governance decisions, thus preventing the attack. Still, what was true about MakerDAO might be true of other voting-based protocols out there, so we need to watch out for exploits taking advantage of the now defunct no-whales assumption. 

New game, new rules

We finally come back to the quotes around “exploits” in the first paragraph. Beyond its precise meaning (which can be “a bold or daring feat”), the malice (or wrongdoing) connotation stands out. These, apart from the researchers in the zeroth event, were certainly no white-hat hackers. They definitely cashed out, and in the first event they even used a mixer to minimize the chances of being tracked. They took advantage of bugs in the code, to some extent. They manipulated asset markets for a profit, which is illegal in most jurisdictions. But was what they did actually wrong?

Well, that’s not for us to judge, but we can reflect a bit about it. Laws against market manipulation are in place so that those that have the capability to do so—the rich—don’t do it, because they would be making a profit at the expense of those without that capability. However, with Flash Loans, things have changed: anyone with a computer and 10 bucks in ETH can manipulate the markets and make an instant profit. Should we stick to our old mindset, calling them wrongdoers and trying to pursue them, or should we embrace the new game, in which anybody can take part, and accept the new rules that are presented to us? As with funds that are lent or not depending on an event in the future, maybe we should call into question other intuitions. What is the meaning of price if it can take values only I have access to, within a transaction?

The fact that these very basic notions are challenged is the landmark of a revolution. Flash Loans have shown us that this is not only a decentralizing revolution, but it is one of decentralized, algorithmic, episodic finance, whose implications we are only starting to understand.

I would like to thank Austin Williams, Nikesh Nazareth, Santiago Palladino, Albert Gozzi, Alice Henshaw, the OpenZeppelin Research team, and Sebastián Aldasoro and the other participants of the February 27th edition of the ETH Buenos Aires meetup for insightful discussions on the topic of Flash Loans.