- Flash loan attacks are responsible for $246 million stolen from DeFi protocols in the first half of 2023.
- DeFi projects are partnering with security researchers like Quantstamp to upscale their defences against flash loan attacks and other threats.
Blockchain security company Quantstamp on Wednesday debuted a smart tool created to help DeFi protocols preemptively protect themselves from flash loan exploits — an attack vector that has led to $246 million in losses for DeFi protocols in the first half of 2023.
Flash loans are not necessarily a bad thing. It is a DeFi strategy designed to allow zero-collateral borrowing that must be repaid within the same transaction on the blockchain. Traders can leverage these loans for arbitrage trading.
Malicious actors like hackers and exploiters also use flash loans to syphon liquidity from DeFi protocols. The loans provide the capital needed to take advantage of vulnerabilities within a protocol’s code for their advantage.
While security researchers say there is decline in flash loan exploits in 2023, these attacks have proven to be high-impact incidents. Ethereum lending protocol Euler Finance initially lost $197 million in a flash loan attack in March.
NOW READ: Malicious actors drained $313m from DeFi in the second quarter
The attacker later returned 85% of the syphoned funds but other victims have not been as fortunate. DeFi protocol Platypus Finance lost $8.5 million in February while another protocol 0VIX lost $2 million in April.
Flash loan attacks pose a major headache for DeFi protocols and security researchers because there is no one size fits all solution. Malicious actors can use flash loans to take advantage of a host of different smart contract vulnerabilities.
Also, victims and on-chain sleuths only become the wiser after such heists occur. Some of the perpetrators have also been caught and are now facing legal consequences.
DeFi protocols, in response, have begun to adopt methods beyond regular code audits aimed at making these attacks more difficult. These include implementing circuit breakers that prevent large transactions and the use of decentralised price oracles.
DeFi protocols are also using two-block confirmations to slow-down flash loan attackers but savvy exploiters have been known to bypass this method by launching their attacks on two consecutive transaction blocks.
For DeFi protocols, detection tools are the way to go but these require highly specialised design.
Quantstamp says its tool called the Economic Exploit Analysis Service will help DeFi protocols detect flash loan attack vectors in their smart contracts. The blockchain security firm partnered with researchers at the University of Toronto to develop the product.
NOW READ: Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’
The search for high-impact flash loan attacks seems to have led to an uptick in read-only re-entrancy flash loan attacks. Security researchers say it is a new twist to an old exploit and it is difficult to detect.
DeFi protocols like EraLend and Conic Finance have fallen victim to this attack in the second half of the year.
This trend is in line with predictions by security researchers that attack vectors by hackers and the countermeasures adopted by DeFi protocols and security firms will continue to evolve.
The new tool is in response to DeFi’s “dire need to prevent these attacks,” Quantstamp stated in the announcement.
Martin Derka, head of new initiatives at Quantstamp, told DL News that ongoing research will only “improve the success rate of the tool” in detecting read-only vulnerabilities. “The technique is well suited for such scenarios,” Derka said.
NOW READ: DeFi lending protocol EraLend suffers $3.4m exploit
Derka also said the smart tool can be useful in live flash loan exploit scenarios as the company will “open a war room” with the DeFi protocol at risk to “help with immediate remediation.” These efforts may even include white hat hacking if required, Derka said.
Quantstamp’s flash loan exploit detector is available across all EVM-compatible chains, the announcement stated. EVM stands for Ethereum Virtual Machine and EVM chains are blockchains that are similar to Ethereum and use the same smart contract logic.
Derka, however, stated that the tool could be repurposed for DeFi protocols on non-EVM chains.
Quantstamp’s website says the company has protected $200 billion in digital assets from malicious actors.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.