Quantstamp unveils tool to detect DeFi flash loan vulnerabilities

Blockchain security and auditing firm Quantstamp has rolled out what it calls the Economic Exploit Analysis tool, aiming to help identify potential flash loan attack vectors in smart contracts before any hacks occur.

The tool automatically scans for vulnerabilities in the software code of a protocol that could be exploited through flash loan attacks, according to a statement. Quantstamp said it collaborated with the University of Toronto in developing the service, converting its initial academic research into a production-level tool.

The tool is not limited to analyzing only one specific contract or those belonging to a single client. Auditors (those checking the code for security flaws) can use this tool to analyze across various contracts from integrated DeFi protocols, Quantstamp added. However, while the tool’s search process is automated, it does require some manual intervention for protocol-specific adaptations, and it doesn’t guarantee the detection of all vulnerabilities.

Flash loan-based attacks are a significant concern in the DeFi space, siphoning off around $200 million alone from the Euler Finance exploit in March.

Flash loans attract attackers aiming to exploit DeFi protocol vulnerabilities as they grant borrowers access to uncollateralized funds that can be leveraged to manipulate the protocols. However, they also carry substantial risk due to the borrower’s obligation to repay within the same transaction. The complexity of these attacks often allows them to bypass standard code audits, potentially allowing hackers to carry out exploits.

“DeFi has the potential to change the global financial infrastructure for the better, but its success requires preempting threats like flash loan attacks. We developed this tool to provide DeFi protocols an extra layer of security on top of audits,” Quantstamp Head of New Initiatives Martin Derka said. “As DeFi evolves, security measures need to evolve with it. Services like Economic Exploit Analysis give us an edge against hackers.”

Quantstamp’s Economic Exploit Analysis service is currently available across all Ethereum-compatible chains, with the potential to be adapted for other blockchains in the future, the team said.

Increasing proportion of DeFi funds stolen using flash loans

Flash loan attacks are responsible for an increasing proportion of stolen funds from DeFi projects, according to The Block’s dashboard. In July, 90% of the funds stolen were through flash loan-based attacks.

Last month, the Securities and Exchange Commission (SEC) charged Quantstamp over its $28 million initial coin offering (ICO) in 2019. Quantstamp paid $3.4 million to settle the charges without admitting or denying them. The SEC has established a "fair fund" to return the money paid by Quantstamp to the investors.