DeFi is an emerging industry in cryptocurrency. It experienced exponential growth in 2020 when it went from a total locked in capitalization of a few hundred million to over $12 billion USD in locked-in capital.
As with any emerging financial industry, there are growing pains with the ecosystem. One of the innovative ways that malicious parties have found to exploit DeFi is by using flash loans to exploit holes in oracles.
We know, all this is confusing. What are flash loans? What are oracles? How are users exploiting these tools for profit?
Don’t worry, we will cover all of that in this article. We will even offer a potential solution to the problems that flash loans pose to oracles.
What are flash loans?
As the name implies, a flash loan is an uncollateralized cryptocurrency loan that lasts for the duration of the transaction.
These are fast loans that allow anyone to have access to large sums of capital.
In other words, flash loan recipients have the ability to act like a whale for one transaction block. This has led to some problems.
What are DeFi oracles?
Before covering how a flash loan attack works, we must explain how an oracle works. It’s essential to understand the basics of an oracle.
In simple terms, an oracle is a piece of code that allows a smart contract to interact with a data stream off the blockchain. A smart contract cannot pull data from off the blockchain, so they rely on an oracle to feed them data from outside the blockchain.
Oracles are used to supply sports results, property records, weather reports, and other data to smart contracts. They are also used to supply the fair market of cryptocurrency to a decentralized exchange’s smart contract.
The Risk Flash Loans Pose to Oracles
Flash loans do not pose a major risk to a smart contract that receives data from multiple oracles.
Unfortunately, this is not often the case. Many smart contracts receive price data from a single oracle, which allows a flash loan attack to occur.
In other words, a flash loan attack is not a problem with decentralized exchanges. It’s only a problem with decentralized exchanges that rely on receiving pricing data from a single, centralized oracle.
Is there a solution to this problem?
It’s a systematic problem with smart contracts relying on a single oracle for a pricing data stream. The solution is simple – do not rely on a single oracle for pricing data. This is easier said than done, though.
Until that problem with smart contracts is fixed, flash attacks on oracles will be a problem. It’s also possible to launch a flash loan attack on multiple oracles, but it is much harder than launching an attack on a single oracle.
How can I avoid falling victim to flash loan attacks?
The only way to truly avoid falling victim to a flash loan attack is to not rely on smart contracts that use data from a single oracle.
Unfortunately, the vast majority of people do not audit the code or oracles before placing cryptocurrency in a smart contract. You simply have to rely on smart contracts that have not fallen victim to a flash loan attack.
Will flash loan attacks be an ongoing problem with DeFi?
Yes, flash loan attacks will be an ongoing problem with DeFi until smart contracts begin relying on more than a single oracle for pricing data.
Unfortunately, that will likely take a few years or a few major attacks before the change is widespread. This is simply a problem that every emerging industry encounters – bad actors using neutral tools for malicious purposes.
Overall, flash loans are not the problem with flash loan attacks on oracles. Instead, the problem lies with poor development practices that rely on receiving pricing data from a single oracle.
We do expect this problem to eventually get fixed, but it will likely take a few major flash attacks on oracles before the problem is resolved.
All that said, flash loan attacks should not discourage you from locking your cryptocurrency into a smart contract. You just have to be much more careful and understand the risks before doing so to protect yourself.