15. Flash Loans Explained: DeFi's Double-Edged Sword (2024)

A brief introduction to DeFi

Decentralised finance (“DeFi”) is seen by many as the digital age’s reimagining of financial services. Rather than having to go through established institutions like banks, DeFi challenges the status quo and is defined by the Bank for International Settlements ("BIS") as:

In addition to the offering of traditional financial services in an increasingly decentralised manner, DeFi through the innate characteristics underlying blockchain technology allows for services that are not possible or feasible within traditional finance. In this post, we will be focusing on a novel financial product commonly referred to as flash loans.

According to BIS, the best-performing platform offering flash loans granted a total of $5.5 billion worth of such loans from mid-2020 up to the end of 2021, highlighting the rising growth and adoption of DeFi protocols.

Traditional loans

How do flash loans differ from normal loans? Traditionally, loans encompass the following features:

• Principal → Initial amount of money borrowed from the lender which the borrower is obliged to pay
• Interest → Cost of borrowing the principal, expressed as a % rate over a specific period, with interest compensating the lender for the risk and opportunity cost of lending their money
• Term → The duration over which the loan must be repaid
• Repayment schedule → Agreed-upon plan of how the loan will be repaid
• Collateral → Assets pledged by the borrower to secure the loan which can be seized if the borrower fails to repay the loan
• Fees and penalties → Additional charges for late payments

Traditionally, the lender is compensated with an interest rate to cover the risk of default and temporary loss of liquidity. Therefore, the longer the duration of the loan, the greater the risk and opportunity cost from the perspective of the lender, resulting in a higher interest rate.

Flash loans

On the other hand, a flash loan can be described as a 'zero-duration loan', whereby a user borrows assets without the need for any upfront collateral, returning the borrowed asset/s within the same blockchain transaction i.e. instantaneously.

This is not to be confused with overnight loans that banks routinely carry out. This is possible due to the concept of 'atomicity' within blockchains i.e. either all or none of the transaction occurs. We will now review the above characteristics within the context of flash loans to better understand the differences between the two:

• Principal → This is present within flash loans, representing the amount borrowed and used within the same transaction
• Interest → Typically involves a very small fee (rather than traditional interest) for the service which is paid if the loan is successfully executed and repaid in the same transaction
• Term → Must be borrowed and repaid within the same blockchain transaction, usually lasting a few seconds
• Repayment schedule → There is no repayment schedule
• Collateral → There is no collateral
• Fees and penalties → There are no fees or penalties for late payments

In summary, only a small fee is charged given that the loan/transaction only lasts a few seconds. As a result, no repayment schedule, collateral or fees typically feature within the context of flash loans.

Flash loans, which are described as uncollateralised loans, enable the borrowing of assets from an on-chain liquidity pool, under the condition that the borrowed amount and a small transaction fee are returned to the pool. If a problem arises and the amount is not repaid, the entire transaction is reverted to the original state. As a result, there is no counterparty and duration risk.

Flash loans: Arbitraging

A common use case of flash loans is to take advantage of arbitrage opportunities. Arbitraging typically involves the exploitation of price differences of the same asset across different markets to secure a profit, a strategy famously utilised by financial giants such as George Soros and Bill Ackman.

The most noticeable example which comes to mind goes back to 1992 when George Soros “broke the Bank of England”, making a fortune by betting against the British Pound capitalising on discrepancies in currency valuations. Arbitraging is a skill that extends beyond financial investments and typically is indicative of one’s ability to identify undervalued opportunities.

Within the crypto realm, a token is listed on several exchanges, which typically possess different prices, thus, creating an arbitrage opportunity whereby one can buy low in one market and sell high in another within a single transaction. A flash loan could be utilised to exploit such an event leading to increased efficiency within the market.

Other applications of flash loans

Borrowers can leverage flash loans for collateral swaps i.e. to swap the collateral backing their debt position in DeFi lending platforms without having to close their original position which could have proved costly.

For instance, if the borrower’s debt is secured by Ethereum (“ETH”) and one wishes to replace this with USDC due to more favourable interest rates or a shift in market outlook, they can utilise a flash loan. This offers immediate liquidity, eliminating the need for additional capital upfront.

Upon using the flash loan to settle the original ETH-secured loan, the ETH collateral is unlocked. The borrower then promptly exchanges this ETH for USDC. This USDC is subsequently used as collateral to establish a new debt position. To finalise this process within the same blockchain transaction, the funds from this new USDC-backed loan are used to repay the flash loan, seamlessly executing the collateral swap.

Another example relates to the use of flash loans within the context of self-liquidation, as a protective strategy to avoid the involuntary liquidation of collateral in DeFi lending platforms.

This is useful when the value of a borrower’s collateral is close to falling below the required threshold due to market volatility, which could trigger a liquidation event where part of the collateral is sold off by the platform, often at an inferior price, also incurring additional fees.

Where to use flash loans

Flash loans were popularised by Aave (a decentralised lending and borrowing platform) and dYdX (a decentralised exchange offering advanced financial instruments) which operate on the Ethereum blockchain. Therefore, when sending ETH and interacting with smart contracts, transactions will be grouped and included in Ethereum blocks, which can be viewed through Etherscan.

When using such platforms to execute flash loans, one finds fixed costs such as a fee of 0.09% on Aave, however, discussions are underway to reduce this further.

While theoretically, a single blockchain transaction could include thousands of operations, the practical limit is set by the maximum gas cost per block, which restricts the complexity and number of operations that can be executed within one transaction.

General risks underlying flash loans

Every time a new technology is introduced, bad actors enter the fold and try to exploit these properties. Flash loans are no different. In the same way that a flash loan could increase market efficiency and liquidity, the same properties can be leveraged by attackers to exploit a vulnerability within a protocol.

Smart contract risks → Given that the execution of flash loans relies on the underlying code within the smart contract, any vulnerabilities could be exploited by attackers.

Systemic risk within DeFi → The use of flash loans by high-risk borrowers for speculative or fraudulent purposes can increase the risk of default for the lender, creating risks, especially in times of market downturns, leading to a cascade of liquidations and other disruptions.

Flash loan attacks

In addition to the benefits and use cases described above, flash loans’ unique characteristics create certain risks and avenues for abuse. Flash loan attacks refer to the exploitation of vulnerabilities in DeFi protocols to steal funds, manipulating prices to the attacker’s benefit.

Such attacks are executed within a single transaction allowing attackers to borrow large sums without collateral or risking their capital to fund an attack, with the transaction reverting upon failure.

DeFi protocols try to mitigate these risks by employing reputable price oracles such as Chainlink, implementing circuit breakers, limiting flash loan amounts and conducting regular security audits.

An example of a flash loan attack was presented by Chainalysis, relating to $197 million being stolen from Euler Finance, a permissionless borrowing and lending protocol on Ethereum. The attacker exploited the platforms’ handling of eTokens and dTokens, creating an imbalance that allowed for inflated borrowing.

The attacker used a flash loan from Aave for $30 million in DAI, and manipulated transactions to siphon funds, within initial and subsequent fund movement involving Tornado Cash. This complex attack involved multiple wallets, including a front-running bot, to maximise the theft.

Eventually, the funds were returned by the attacker, who also ended up apologising, in what ended up being one of the largest DeFi recoveries to date!

Conclusion

While flash loans may be controversial and bring about their share of risks, they do not create vulnerabilities but rather, they expose pre-existing ones already existing in a protocol. Such risks can be mitigated through a combination of thorough security audits and adherence to regulatory frameworks such as DORA.

Flash loans introduce a level of flexibility and efficiency which are not present within traditional finance, marking a notable innovation within the DeFi ecosystem. This is just one example of the new possibilities emerging in DeFi which may not yet be fully appreciated.

In future posts, we will explore other similar innovations, aiming to uncover the relatively untapped potential they have for transforming financial transactions.

Thank you for your time. Feel free to share.

DISCLAIMER

This is not medical, financial, or legal advice. Please consult a relevant professional prior to commencing anything outlined above, these are simply my own personal opinions.