Flash loans: A blessing or a curse?

Imagine you’re about to rob a bank. But ahead of the robbery, someone offers to lend you a range of expensive tools that would enable you to crack the bank’s larger safe and steal fifty times as much money. All you have to do in return is pay a small fee and give back the tools at the end. 

Would you take them up on this offer?

This is essentially how flash loans work. Flash loans are in effect a brand new technology, unique to blockchains, which allow an individual to borrow large amounts of capital that can then be used to accomplish certain things in the DeFi ecosystem at a very low cost. 

The catch? The money must all be returned within the same transaction. So it’s borrowed, used for some purpose and repaid, all in one go. If the transaction doesn’t work — for instance, say the exploit doesn’t generate more than enough money to pay back the loan and its fees — the money was never borrowed to begin with. 

The end result is the availability of a huge sum of money to anyone who wants to use it, no matter what the purpose — even if that purpose is robbing DeFi protocols, which are essentially decentralized digital banks. And attackers have taken advantage, stealing almost $200 million via sophisticated, flash loan-assisted attacks on DeFi protocols. 

Flash loans are undoubtedly innovative. But are they good or bad? And if they are bad, is there any way to stop them?

The good side of flash loans

Advocates of flash loans emphasize what they say are the productive applications of flash loans.

For instance, traders can use the money to take advantage of arbitrage opportunities, make leveraged bets, or refinance or liquidate loans. DeFi promoters tend to see these applications as providing value and keeping the crypto markets and protocols working. 

Flash loans are “100% good,” says DeFi lending protocol Aave founder Stani Kulechov, adding that they “allow us to remove inefficiencies in decentralized finance in a way that you don’t need upfront capital.” 

Kulechov’s view is that weak spots in DeFi protocols will be exploited with or without flash loans and that the main priorities should be to build safer protocols and safety mechanisms in case there are attacks — along with educating the community about the levels of risks involved.

DeFi lending protocol Cream Finance co-founder Leo Cheng concurs that flash loans play a positive role in the DeFi ecosystem. He argues that they accelerate capital flow while democratizing and leveling the playing field. 

For example, says Cheng, take liquidations on a lending pool. When a loan becomes undercollateralized, the position needs to be liquidated by someone with a sufficient amount of money; flash loans enable anyone to play that role. By ensuring these liquidations happen, they help to keep lending protocols from building up bad debt.

“We want them to be aggressive. The more aggressive they can be, the more robust a lending system is,” Cheng says.

On this basis, DeFi protocols have been encouraging the growth and development of flash loans. Another platform, UniLend finance, announced on May 12 a $1 million grant for developers to come up with further use cases for flash loans, a move designed to accelerate the development of the technology.

Even flash loan attacks can be seen as a positive thing, argues UniLend CEO Chandresh Aharwar. The availability of flash loans increases the odds that DeFi protocols will get hacked earlier in their lifespan, while they are still relatively small, he says. “The hacks that happened at $5 or $6 million might become 10X, or 20X hacks if they are not exploited.” 

Cheng agrees. “Because the severity of the attacks is now higher, in a strange way, it iterates the industry faster.” 

The bad side of flash loans

While DeFi protocol founders focus on the silver lining, flash loans are undeniably causing a lot of damage to the DeFi ecosystem. 

When they are used to steal money, flash loans tend to make the damage worse — providing greater incentives for bad actors to exploit bugs in the systems. 

Over the last year and a half, nefarious actors have been using such loans to maximize their gains from exploiting DeFi systems. Flash loan-aided attacks have become much more frequent recently; since February, according to The Block Research’s data, flash loans have been used in 13 attacks to siphon off funds to the tune of $178 million.

Until April, most of these exploits were happening on the Ethereum blockchain. But recently they have been spreading to Binance Smart Chain (BSC), where many projects are based on code taken from Ethereum projects. Sometimes these clones are particularly vulnerable because they are based on old code. 

In one recent attack on the BSC-based decentralized exchange BurgerSwap, a single, crucial line of code was missing, enabling the attack to occur. 

Such attacks account for a sizable portion of flash loan usage. According to reporting by The Block Research in February, 51% of flash loan volume on Aave up to that point had been used for exploits (mostly on yDAI). On decentralized exchange Uniswap, 86.6% of flash loan volume had been used for attacks, with a large portion of that volume coming from a single $33.8 million exploit of yield farming protocol Harvest Finance. On DeFi trading platform dYdX, however, it was much lower at just 4.4%. 

It’s the sheer size of the flash loans these attackers are using that makes them such potent weapons.

To put it in perspective, consider the Aave-based attack on yDAI: to pull it off, the attacker borrowed $1.9 billion in flash loans from Aave, along with further loans from dYdX. They used all that money to manipulate the price of the stablecoin DAI in a specific pool on the Curve platform, which opened the door for them to steal $11 million before repaying the loan.

Are flash loan exploits illegal?

An even more complicated question is whether flash loans are breaking the rules, whether those be the unwritten ethics of using blockchain technology or the real-world laws in countries around the world. 

On the one hand, many DeFi proponents argue that the code, once out there, does what it says on the tin. A smart contract will function exactly as programmed. If it’s programmed badly, it might allow certain functions that were not intended. But if the smart contract allows money to be siphoned off, then the “attacker” was using it in a way that the code allowed.

“If there’s an economic exploit here, where you can adjust the price of an oracle and take advantage of that. In some sense, you could still say you’re playing within the rules of the game,” says Cheng.

This is the notion of “code is law,” the idea that what the code permits is ultimately more important than what the legal system says. If the code allows money to be taken, then it can be taken. (A concept that was rather undermined by The DAO attack when the Ethereum blockchain was wound back to undo something allowed by the code).

But not everyone agrees.

“Code is not law; it's a dumb meme, always has been,” Stephen Palley, partner at law firm Anderson Kill — who has also done legal work for The Block — tweeted in May. But are flash loan attacks in DeFi illegal? They “could be, depending on facts and circumstances,” he says, at least in the U.S. “The federal wire fraud statute is really broad.”

Could flash loans be restricted or banned?

Even if flash loans were deemed to be illegal or unethical, though, it’s not clear whether anything could be done to stop them from happening. Like most decentralized tools, once they’ve been let out of Pandora’s Box, there’s no way to put them back in again.

Aharwar says the UniLend team has discussed limits of $500,000 or $1 million for flash loans and whether that would be effective. It would be possible for the project to implement such a restriction, he says. But he notes that the protocol is permissionless, meaning that if the community decided it didn’t like the limits, they could just fork the protocol and remove them.

Cheng argues it would be very difficult to limit flash loans, particularly on a technical level. For example, designing protocols to check flash loans before they were issued — to make sure they weren’t being used for anything unethical — would be difficult because flash loans need to operate so quickly. 

“When people use flash loans, it’s very pinpointed at a certain time of the market. Any amount of delays on it somewhat kills the functionality of the loan itself,” he says.

Cheng adds that it would also be very hard for the protocol to distinguish between different use cases of flash loans, because, from a technical level, they look rather similar.

Further, he contends, capping flash loans would hurt legitimate uses of the technology. For instance, he points to Yearn vaults, which are pools of funds that follow set strategies and use flash loans to make them cheaper and more efficient. These are so big — up to $600 million — that they require large flash loans and would be hamstrung by any caps.

So without many ways to limit them on a technological level, and with little desire to do so anyway — from DeFi protocol founders at least — it seems that flash loans will likely remain a fixture of the DeFi world. 

And depending on the circumstances and perspectives of those involved, the technology will either be an innovative feature or a relentless bug.