A hacker who hijacked decentralized stablecoin platform Beanstalk in April had a powerful tool: a $1 billion loan made with no collateral, no proof of income, and no identity verification. The loan had to be repaid in less than a second, but that was all it took to appropriate tens of millions of dollars.
Hackers used the so-called quick loan—A cheap, instant, and anonymous form of crypto-based funding.
Such instant loans have useful uses, including helping traders who are trying to take advantage of price differences between cryptocurrencies on different exchanges. In that sense, they are like the funding an investment bank can provide to a mutual fund to bet on different stocks or currencies.
But flash loans also have a dark side. There has been a recent spate of thefts using quick loans. In addition to the Beanstalk heist revealed last month, a decentralized finance platform called Rari Capital said a hacker used a quick loan to help steal around $80 million from it. And Cream Finance said in October, a hacker used a quick loan to help steal about $130 million from its platform.
Decentralized Finance, or DeFi, is a growing area of the cryptocurrency world that provides financing and liquidity to those who trade in its markets. In a sense, instant loans are similar to the funding that banks can offer to algorithmic traders who move in and out of positions in milliseconds.
A DeFi platform, such as Aave or Uniswap, is a software program that allows people to build and support applications. Users of different apps and services deposit cryptocurrencies into accounts within each service. The assets combined on one platform are the pools from which the quick loans are made.
Services like borrowing and lending are handled by “smart contracts,” pieces of code written to automate an agreement. These replace a loan or bank application that would be used in traditional finance.
However, quick loans are not a retail tool. To use a quick loan, someone needs to be able to code the contract and execute it. For instance, the quick loan portion of the Beanstalk hack consisted of almost two dozen steps.
“‘There is a lot more profit if used nefarious.’”
What makes a flash loan happen is the repayment period: It’s almost instantaneous. Quick loans are granted and repaid in the same transaction. The life of a loan is as long as a single computer processing a transaction.
That’s not much time. But in an automated world, just making one transaction is enough.
The smart contract has conditions written in it that guarantee a return. If the borrower fails to repay the loan, the contract voids the transaction before it is confirmed, along with any market mechanisms to which it is tied. It’s as if the loan never happened and as such an all-or-nothing proposition. Because of this, there is essentially no credit risk to the lender.
And because there is no credit risk, the amount that can be borrowed is limited only by the amount of capital held on a particular DeFi platform. For example, Aave has about $21 billion in liquidity across its services, held in various cryptocurrencies.
In theory, quick loans allow people to use borrowed money the way financiers do in traditional markets, in the same way that an active investor would use financing to buy back a loan. company, or how George Soros used borrowed money to bet the famous pound sterling.
But their speed, lack of necessary collateral and allowing anonymity make them very different in practice. “They open up the potential for things that you wouldn’t even be able to do in the traditional market and can’t do,” said Max Galka, founder and CEO of crypto analytics firm Elementus. present in cryptocurrencies before.
There are several DeFi platforms that allow quick loans, but Aave, where the loans originate, is the biggest. Since 2020, Aave has processed 52,000 instant loans totaling $15.6 billion in market value, according to Elementus. Borrowers pay a small fee for the loan.
That number is small compared to the total $1.8 trillion worth of the crypto market. But even a few hundred million could be enough to manipulate or attack some of the smaller and illiquid assets of the crypto market.
Hassan Bassiri, a fund manager at Arca, a crypto-focused investment manager, said that for programmers who understand how to use instant loans, the potential for losing money is huge. Because DeFi is a new field, many services have poor security or badly written code, or both, making the potential for abuse even greater.
“You are not going to make $80 million in 30 seconds of arbitrage,” Mr. Bassiri said. “There’s a lot more profit in nefarious use.”
The Beanstalk incident is an example of a hacker using a quick loan to temporarily take over a crypto project. Beanstalk is a stablecoin platform – meaning each token is pegged to US dollars – where investors are also owners. Each token purchaser receives a share of the vote. Investors can propose and vote to make changes to the platform.
The day before the attack, the hacker suggested sending money from Beanstalk to Ukraine for aid, although the code instead redirected to a wallet the hacker controlled.
The Beanstalk hacker borrowed $1 billion in a quick loan on the Aave platform, in a number of different cryptocurrency denominations, which the hacker used to buy Beanstalk and take control of the second-second voting mechanism. slice. The Beanstalk founders declined to comment. Aave did not respond to a request for comment.
In the immediate aftermath of the attack, the hacker had to do a few quick things with a computer program: borrow money fast, buy enough tokens to give that person a majority vote, and vote to approve the proposal. from the previous day. The hacker then sent the funds to another location and sold off the Beanstalk tokens to pay off the initial loan.
Result: The attacker wiped out about $76 million in crypto in the blink of an eye.
Write to Paul Vigna at [email protected]
Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8