The Blockchain environment together with Smart Contracts are making flash loans relatively easy to set up and run. A flash loan is not illegal. A loan is taken out and repaid within a very short time. This can be enabled within a Smart Contract with funds being transferred in and out of the borrower’s wallet possibly within the same block transaction.
The borrower will be using the funds to buy goods such as stock investments or through currency exchanges at a favourable price and quickly sell them on at a profit. The loan can then be repaid; hopefully the profit will more than cover the related trading and loan fees. The margin of gain is often small but if large volumes of units are traded the net profit earnt will be worthwhile. Automated stock trading systems have been in place for some years with computer algorithms deciding when to buy or sell. Linking the flash loan to this sort of algorithm gives the borrower a potential money making engine (if their algorithm trades in the right goods at the right time).
The fraud is not as simple as ‘take the money and run’. A fault in the Smart Contract could enable the borrower to avoid repayment but a more likely scenario involves what happens to the loan in the short period when it is outstanding. In April 2022 a fraudster drained $182 million from Beanstalk Farms. The exploit involved a flash loan that was then used to briefly buy a controlling stake in Beanstalk Farms. The attacker then voted to withdraw the funds to their own wallet. The process is estimated to have taken around 13 seconds and netted the fraudster $80 million in profit.
BanklessTimes reported 27 cases of flash loan fraud in Q2 of 2002. It is the nature of Blockchain that makes distributed finance targets especially vulnerable. The loan, buying, selling and repayment all happen almost instantly. The Smart Contract and business model of the target are the vulnerable points of entry.
The target organisation suffers an instant loss but this trickles through to the investors. Any assets will drop in value as the hosting system is not seen as secure. There will be fewer funds available to keep the infrastructure running and to pay out sales or withdrawals. Some investors will cut and run withdrawing what funds they can further lowering the value of assets.
Investors can minimise their exposure to flash loan attacks:
- Distribute funds over several projects; avoid all the eggs in one basket.
- Restrict investments to trusted, reputable platforms.
- Keep up to date with market trends; know when to jump.