Cybersecurity concerns about ransomware and data breaches have been growing for two years due to global events, but some threat avenues may be going overlooked in the constant blizzard of news. One of these is the growing popularity of flash loan attacks, targeted at decentralized finance (DeFi) platforms that allow peers to make instant short-term loans to each other.
These attacks have been growing in frequency and size since early 2020, and a recent theft from DeFi platform Beanstalk is the largest yet. $182 million was lost to fraudsters, edging out the $167 million tallied in the previous largest attack campaign in 2021.
DeFi platform loses $182 million to market manipulation
Flash loan attacks are essentially a very rapid crypto pump-and-dump that leverages the quick and collateral-free borrowing available via some DeFi platforms, but some (such as this one) can also exploit structural vulnerabilities in a platform.
Flash loans are a form of peer-to-peer borrowing without any collateral. These loans are “secured” by setting a tight time limit in which repayment must be made; if the borrower does not make it by the end of the window, the entire transaction is invalidated automatically. The primary use of these loans is by day crypto traders who want to quickly raise large capital to go in on an opportunity.
Of course, enterprising hackers soon found a way to exploit the system. In a basic flash loan attack, the borrower immediately uses the large amount of funds to buy a large amount of a crypto asset, triggering a sell-off. This artificially drops the price on that particular exchange, at least until the loan repayment window closes. During this time, the attackers snap up the now undervalued crypto asset and sell it at another exchange that is maintaining normal market prices.
Thus the flash loan attack is not so much an attack on lenders (who are guaranteed to at least recoup the amount they lent out) but on other holders of the currency, and when big enough on the value of the platform that issues the currency itself. An example of the latter phenomenon was the flash loan attack on the PancakeBunny platform in May 2021, in which a $3 million loss involving the platform’s Bunny tokens sent the platform’s price plummeting from $146 to $6.17 in a snap.
The Beanstalk attacker managed to get away with $80 million in illicit crypto funds in this way, though the platform is looking at a total $182 million loss due to remediation and a sharp value drop that sent the token from $1 to 11 cents in value overnight. The attacker in this case took a flash loan on the liquidity protocol Aeve and acquired a large enough amount of the Stalk native governance token to have the power to pass a malicious proposal. This attack was different from some previous incidents as the ability to pass the proposal (by exploiting Beanstalk’s majority vote governance system) allowed the attacker to siphon money directly from the protocol’s wallet rather than simply exploiting an artificially created temporary arbitrage opportunity.
Creative Flash Loan Attack Highlights Holes in DeFi Platforms
Years on now from the first flash loan attacks, some DeFi platforms are still struggling to get appropriate defenses into place to curtail the possibility. This comes amidst a larger focus on DeFi platforms by cyber criminals, as they prove to have numerous openings that are not available with fiat currency finance organizations or even some of the more proven and stable cryptocurrencies. Though these platforms are riskier for traders than other options, they also often have hundreds of millions of dollars available for the taking if a hacker can exploit one of these openings successfully.
As James McQuiggan, security awareness advocate at KnowBe4, notes: “This attack is undoubtedly a sign of things to come. Cybercriminals continue to target organizations with money. Large bank corporations have worked to implement strong security cultures to significantly reduce the risk of an attack and successful breach. They now turn to cryptocurrency and exchange organizations to infiltrate using social engineering attacks or targeting vulnerable perimeter systems that are not up to date on security updates or exposed to other exploits. The crypto and digital currency organizations need to strengthen their perimeters and ensure a robust security culture to reduce these attacks and align with the other FinTech companies.”
In the case of the Beanstalk attack, it was not even a code exploit but a smart hacker simply taking advantage of the valid protocols in place in a creative way. The situation highlights endemic problems in DeFi platforms, given their preference for majority vote systems and proof-of-stake as the centerpiece of security. These systems differ from the more secure “proof of work” behind Bitcoin and other similar cryptocurrencies, but remain popular because they use considerably less energy.
Bean backer Publius has issued posts indicating the project will likely soon be dead given that it has no venture capital backing, and apparently no real way to recoup the funds other than the long shot of cutting a deal with the attacker (who has reportedly sent the entire $80 million to Tornado Cash already for anonymizing mixing). The team has paused all smart contracts for the moment and says that it is in contact with the FBI. One of the project leaders responded to social media posts by saying it was “inappropriate” for Publius to take responsibility for the breach.