A flash loan is no-collateral loan existing over the span of a single transaction, allowing a contract to borrow funds, use funds, and repay the loan by the end of the same transaction. It’s like being a millionnaire for 15 seconds.
What are flash loans?
In the simplest terms possible, a flash loan is a loan that is exists over the span of a single transaction (15 seconds), allowing a contract to borrow funds, use the funds for purposes, and repay the loan + associated interest by the end of the transaction. The smart contract can put these funds through any system they want, as long as the amount + interest is sent back into the lending pool contract. Unlike Maker, no collateral is required for these loans. Flash loans ensure that the amount and the fee for borrowing is paid back to the lending pool by the end of the transaction, otherwise it reverts.
How do they work?
These flash loans execute in lending pools, which have checks to ensure that the smart contract has repaid their loans at the end of the transaction. If the flash loan is not returned, the entire transaction (including the borrowing of the loan) is reverted and the state rolls back.
While walking through Aave’s Lending Pool flashloan function implementation in detail, the loan essentially execute these main steps:
- Checks the available liquidity in the Lending Pool contract
- reverts if the flash loan is too large
- Calculates the protocol and amount fee
- user’s total fee
amountFee = flash_loan_amount * FLASHLOAN_FEE_TOTAL / 10000
- protocol fee
protocolFee = amountFee * FLASHLOAN_FEE_PROTOCOL / 10000
- Lending Pool Constants are defined here
FLASHLOAN_FEE_TOTAL = 35
FLASHLOAN_FEE_PROTOCOL = 3000
- reverts if either amount fee or protocol fee are <0 - means that the amount is too small for a flash loan
- user’s total fee
- Transfers funds to a user’s smart contract
reciever.executeOperation(), the function that would need to be overridden to execute a flash loan
- Aave’s Flashloan-box repository sets up infrastructure for a developer to create a flash loan
- Checks to ensure that the available liquidity in the Lending Pool Contract is the same as step 1
- reverts if
currentLiquidity != previousLiquidity + amountFee
- reverts if
As seen above, flash loans target smart contract developers, unlike Maker/Compound. By implementing
executeOperation(), a developer can choose what they want to spend their flash loan funds on.
Why are they useful?
Flash loans help a variety of purposes, including:
Flash loans enable users to get a better interest rate for debt that they’ve taken out of a system.
Assume a user has put collateral down to take
$10k from a system - this means that this user be required to pay back
$x + interest in the future. If Company A is offering a 10% interest, and Company B is offering 5% interest, users would prefer to go with the lowest interest rate, as they prefer to pay less for the money they have borrowed.
|Scenario||Company A||Company B|
|“Original” Loan||debt = $10000
interest = 10%
|debt = $0
interest = 5%
|Better Rate||debt = $0
interest = 10%
|debt = $10000
interest = 5%
A flash loan could be written with the following steps to facilitate refinancing:
- Take out a flash loan in the amount sufficient to pay back the loan from Company A
- Send the funds to Company A and unlock collateral, essentially paying back the loan and zero-ing the debt
- Send collateral to Company B, and borrow funds at 5%
- Pay flash loan back at the end of the transaction
Flash loans also enable users to change the underlying collateral mechanism, in systems such as Maker and Compound.
Assuming a user has to put ETH collateral into Maker to withdraw DAI, resulting in the user having an Ether-backed collateral. If a different collateral, such as BAT or USDC has a better borrowing rate, users may want to change the collateral type they use. Flash loans can be used to do this as well:
- Take out an ETH flash loan in the amount of the withdrawn DAI + interest
- Swap ETH to other collateral (ie: USDC/BAT) on Uniswap
- Deposit new collateral into Maker
- Withdraw original ETH collateral from Maker
- Payback ETH flashloan
Lose Little, Gain Everything - Implications on DeFi Security
While the DeFi space has always consisted of Lego blocks with applications like collaterlized debt, providing liquidity, or synthetic tokens, Flash loans bring on a whole new variant. Their lack of collateralization is due to a user’s need to take the loan out, use the funds, and pay it back at the end of the same transaction. Flash loaners only pay the fee to take funds out of the lending pool - and can do anything they want with it thereafter.
This means an attacker could potentially take on less risk with a flash loan than executing an attack with their own funds. If an attacker attempts to attack a smart contract bug with their own funds, if they do it incorrectly, they have the chance of losing their own funds. With a flash loan in a smart contract, if their call to another platform’s smart contract fails, the entire transaction will revert and it will be as if the attacker never really had the flash loan in the first place. In this way, flash loans enable these attackers to take on less risk while executing a smart contract attack.
Small smart contract bugs are even more dangerous
For DeFi smart contracts, this means that smaller bugs, such as one allowing users to extract 0.01% more tokens than expected - which may not have been too big of a problem with small inputs such as 1ETH become increasingly more profitable for hackers via flash loans. In the past, these hackers would be limited to the amount of funds in their wallet - but flash loans allow these users to have access to a significantly larger funding pool.
Flash loans allow hackers, who wouldn’t otherwise have sufficient funds - be millionnaires/trillionaires (dependent on the amount in the lending pool) for 15 seconds. During this time, they receive the funds, invoke the buggy smart contract and/or logic, return funds + fees to the lending pool, and pocket the remainder of the profits.
Anyone can be a whale
Given that flash loans do not require collateral, these loans allow every-day users to become “whales” - users who hold a significantly large portion of funds - large enough to change supply/demand in their favour. This new requirement puts pressure on all DeFi systems to consider the ramifications of high-volume-high-value transactions executing through their platform.
Aside from individual DeFi platforms, whales with access to a significant pool of funds can affect largely token volume and trading. An example of this may be creating a large dip in supply and rise in demand, which opens up the opportunity for large profits when they sell their token supply at the end of the transaction.
The Future of Flash Loans
It will be really interesting to see the future development of flash loans and see other use cases that pop up. With the DeFi space continuously changing and projects pushing updates, it will also be incredibly interesting to see what other vulnerabilities and security implications flash loans bring up.