More On: Bitcoin
Crypto hackers have turned to flash loans as a powerful tool.
In April, a hacker used a sophisticated tool to plunder the decentralized stablecoin platform Beanstalk: a $1 billion loan taken out with no collateral, no evidence of income, and no identity verification. The loan had to be paid back in under a second, yet that was all it took to steal tens of millions of dollars.
The hacker used a flash loan, which is a low-cost, quick, and anonymous form of cryptocurrency lending.
Such short-term loans can be useful for traders looking to profit on price differences between cryptocurrencies on different exchanges. They are similar to the financing that an investment bank may lend to an investment fund to make bets on various equities or currencies in that respect.
However, there is a downside to flash loans. Flash loans have been used in a number of recent thefts. A hacker utilized a flash loan to help steal about $80 million from a decentralized finance platform called Rari Capital, in addition to the heist Beanstalk revealed last month. In October, a hacker exploited a flash loan to help steal $130 million from Cream Finance's website.
Decentralized finance, or DeFi, is an emerging component of the bitcoin industry that provides funding and liquidity to market participants. Flash loans are similar in some ways to the financing that banks might provide to algorithmic traders that trade in milliseconds.
A DeFi platform, such as Aave or Uniswap, is a piece of software that enables individuals to create and maintain programs. Users of the various apps and services deposit cryptocurrency into their respective accounts. The pools from which flash loans are made are the platform's combined assets.
Smart contracts, which are pieces of code written to automate an agreement, handle services like borrowing and lending. In traditional finance, these would be used in place of a loan or bank application.
However, flash loans are not a retail instrument. Someone must be able to code and execute a contract in order to use a flash loan. For example, the Beanstalk hack's flash-loan section required over two dozen steps.
The repayment time is what gives a flash loan its name: It happens fairly instantly. A flash loan is one that is given and repaid in one transaction. The loan's life cycle is roughly equivalent to how long it takes a computer to perform a transaction.
That is a short period of time. However, in an automated society, simply making a trade is sufficient.
Conditions are included into the smart contract that ensure payback. If the borrower fails to repay the loan, the contract invalidate the transaction and any market move it was linked to before it is confirmed. It's as if the loan never existed, and it's an all-or-nothing situation. Lenders face virtually little credit risk as a result of this.
Because there is no credit risk, the maximum amount that can be borrowed is determined solely by the amount of money kept on a DeFi platform. For example, Aave has around $21 billion in liquidity spread throughout its services, which is kept in a variety of cryptocurrencies.
In theory, flash loans allow consumers to use borrowed cash in the same way that financiers do in traditional markets, such as when an activist investor uses finance to acquire a company or when George Soros famously bet against the British pound using borrowed funds.
However, their speed, lack of collateral requirements, and anonymity make them extremely different in practice. "They offer up the opportunity for things you wouldn't be able to achieve in traditional markets and weren't possible in crypto before," said Max Galka, the founder and CEO of crypto-analytics business Elementus.
There are multiple DeFi platforms that enable fast loans, but the largest is Aave, which is where the loans originated. According to Elementus, Aave has executed 52,000 flash loans worth $15.6 billion in market value since 2020. A minor fee is charged to borrowers for the loan.
When compared to the $1.8 trillion total value of the crypto market, this is a minor sum. However, even a few hundred million dollars can be used to influence or assault some of the cryptocurrency market's smaller and less liquid assets.
According to Hassan Bassiri, a fund manager at the crypto-focused investment management Arca, "the potential for misconduct is immense for coders who understand how to leverage flash loans." Because DeFi is such a young subject, many services have inadequate security or poorly written code, or both, increasing the risk of abuse.
Mr. Bassiri stated, "You're not going to make $80 million in 30 seconds of work performing arbitrage." "The evil uses are so much more profitable."
A hacker used a flash loan to temporarily take over a crypto project in the Beanstalk incident. Beanstalk is a stablecoin platform in which the investors are also the owners. Each token is tethered to the US dollar. Each token purchaser receives a voting share. Changes to the platform can be proposed and voted on by investors.
The hacker proposed sending money from Beanstalk to Ukraine as aid a day before the attack, but the code instead directed to a wallet controlled by the hacker.
The Beanstalk hacker borrowed $1 billion in multiple different crypto denominations via a flash loan on the Aave platform, which he used to buy into Beanstalk and temporarily take control of the voting mechanism. The founders of Beanstalk declined to comment. A request for comment from Aave was not returned.
The hacker had to accomplish several things quickly with a computer program at the time of the attack: take out the flash loan, acquire enough tokens to give the individual a voting majority, and vote to accept the plan from the day before. The hacker then transferred the funds to another account and sold the Beanstalk tokens to settle the loan.
In the blink of an eye, the hacker drained nearly $76 million in cryptocurrencies.
** Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of USA GAG nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.