The Flash Loan Attacks Explained (for Everybody)

Today we're breaking down the flash loan attacks that rocked the DeFi community in a way even your grandpa can understand, presented in both audio and full-text format.

AccessTimeIconFeb 19, 2020 at 6:50 p.m. UTC
Updated Dec 6, 2022 at 6:28 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Today we're breaking down the flash loan attacks that rocked the DeFi community in a way even your grandpa can understand, presented in both audio and full-text format below.

For early access before our regular noon Eastern time releases, subscribe with Apple Podcasts, Spotify, Pocketcasts, Google Podcasts, Castbox, Stitcher, RadioPublica or RSS.

Full transcript:

John: The world of cryptocurrency is no stranger to fast money… Bitcoin (BTC), ether (ETH) and thousands of others like them take just minutes or even seconds to send across the street or to the other side of the world. The technology has been described as cash with wings, and it’s not a bad way to think about it.

But last week, as we walked the floor at ETHDenver, an annual gathering of ethereum fans, that speed became a liability. Sophisticated attackers took advantage of that speed to steal nearly a million dollars in less than a second. 

Hello, and welcome to CoinDesk Explains, an occasional series where we break down the complex world of cryptocurrency.  I’m John Biggs...

Adam: ...and I’m Adam B. Levine. We’ve both been following this technology for way too many years, but this latest incident is pretty fascinating by any standard.  On today’s show we’ll break down The flash loan attacks that rocked the DeFi community and, depending on whom you ask, either demonstrated fundamental flaws in the world of “DeFi, or simply show how early we are in this technology.

John: Okay, if you’re new to the sector or haven’t been paying that much attention to ethereum you’re probably wondering, “What is DeFi, and what are flash loans?” This story is really about flash loans, but before we get there, let’s talk about Decentralized Finance, better known as DeFi.

Adam: So John, think back to when you were a poor college student, to that time you pawned your electric guitar.  

John: I’ll never admit that I did this, but for the sake of argument let’s say I went down to Uncle Sams’ Pawn Shop in Columbus, Ohio, at the age of 18. On Thursday. At, like, 11 a.m. So the guitar was worth about $300 but the pawn shop only gave me $150 in exchange for it.  

Adam: So why did you sell it to a pawn shop?

John: Well, in this case I didn’t actually sell it. When you pawn something you’re basically taking out a loan and using the pawned item, the guitar in my case. That’s collateral for that loan.  

Adam: In the world of High Finance, I think we’d call that securing the loan.  What was your thinking there?

John: If I sold my guitar outright, I'd need to buy a new one, but I didn’t want a new one. To get my guitar back I just had to wait for my next paycheck to roll around and then pay back the $150 they’d given me, plus a bit of interest, and boom - I’d solved my short-term cash crunch without selling anything at all.

Adam: So for you that felt like a good deal because even though you weren’t getting the full value of your guitar, you also weren’t really selling it.  You could get it back, as long as you honored the terms of the loan and paid it back.  

John: Yeah, it was a good deal for me, but it was also a good deal for the pawn shop.  If I pay the loan back, they make money off the interest. They gave me $150 for the guitar, but I paid $200 to get it back.  So the loan cost me $50. That was some crazy expensive money.

Adam: But if you hadn’t paid it back, the pawn shop basically doubles their money, so long as they can sell your guitar for the $300 it was worth.  You keep the $150 they loaned you, but you’re out your guitar. Not exactly a winning scenario, but that’s sort of a worst-case, the loan turns into you effectively selling it on the cheap.

John: Are we really going to talk more about my years as a poor college student? I can’t be held responsible for my actions when sleep-deprived.

Adam: No, we’re just about done here. The point is that DeFi, or Decentralized Finance, usually works a lot like a pawn shop, but on the internet. Instead of using your guitar as collateral, you use cryptocurrencies like bitcoin, ether or an almost unlimited supply of smaller tokens that can be created by, literally, anybody, and for just about any purpose.

John: So if I want to take out a DeFi loan, I give them cryptocurrency collateral that’s worth more than whatever I want to do.

Adam: Yeah, that’s right. And you’d do it for basically the same reason as you’d take a loan in a pawn shop: You have something, in this case cryptocurrency tokens, which you don’t want to sell but which you do want to get some money out of for one reason or another. 

John: And instead of using a pawn shop, I’m using a smart contract.

Adam: Exactly. We’re not going to get into smart contracts right now, just think about them like computer programs that run on a blockchain, but yes. So DeFi, or Decentralized Finance, usually works like a pawn shop giving a loan.  You give them a thing more valuable than the loan you want to take to hold as collateral in case you don’t pay back the loan. That seems like a pretty safe system: heads I win, tails you lose and I also win.  So what happened in Denver?

John: Flash loans!  

Adam: What’s a flash loan?

John: OK, this one is a little weird but it’s a really, really quick loan that doesn’t require me to put up any collateral.

Adam: So they just give you money? What happens if you don’t return it? This sounds like my kind of loan.

John: That’s the thing, they won’t give you the loan unless you pay it back at exactly the same time they give it to you.

Adam: Wait… What?

John: I know… I know… So, you remember how at the beginning I said that cryptocurrency is fast, like really really fast.

Adam: Yeah?

John: Well, with a lot of careful planning it’s actually possible with cryptocurrency and DeFi to use one of these flash loans to take advantage of trading opportunities, the imbalances between different marketplaces, to make money and pay back the loan, almost instantly.

Adam: That sounds crazy. Can one get a job taking free loans and making money instantly without providing collateral?  I may have picked the wrong career!

John: Well, sure, but at this point, DeFi and flash loans are still in the experimental, early stage and really the only people playing in that sandbox are developers and wannabe Wall Street types.  For normal people this stuff might eventually change the way we think about money, or at least loans. But for now that seems a long way off.  

Adam: OK, but wait, when we started talking about this you said that flash loans caused almost a million dollars worth of losses for the folks lending money. Why would anyone lend money without collateral if they can lose money doing it?

John: In theory, they shouldn't have been able to lose that money.  With flash loans, the whole idea is that you only get the loan if you can prove that you’ll pay it back at basically the same time.  Cryptocurrency, DeFi, and Flash Loans all rely on a blockchain, which is simply a long list of all the actions and transactions that have happened. It’s maintained independently by thousands of individual computers run by enthusiasts and companies. The great thing about a blockchain is that because there are so many computers keeping track, it’s almost impossible to lose data or for a person, company or even government to change that record.  

Adam: So basically, they can’t rewrite history, and that’s a good thing because it means that people on the internet who don’t trust each other can still have their computers work together to create a history that we can all trust.

John: Yeah, because even if I might want to change the record to give myself a cool thousand bucks, you’re probably not going to think that’s very fair.  There’s only one of me who wants that to be true, and thousands of people like you who think it's probably more important that the record is accurate.

Adam: So what happened?

John: Step one: I get a flash loan in a cryptocurrency called ether and use some of it to buy a lot of dollar-pegged stablecoin that should be worth one dollar each.

Adam: Right.  And a dollar-pegged stablecoin is a type of cryptocurrency that’s supposed to be equal to, or be pegged to, the value of a dollar.  So in theory it should always be worth a dollar.

John: That’s right, but Step two: I know that the lender gets pricing data from only one source. That source was called Kyber, but let’s call him Bob. Bob’s just one guy, and I use some of the crypto I borrowed with the flash loan, some ether, to buy a huge amount of his tokens that are supposed to be worth a dollar, but because i’m being clever, I’m willing to pay a lot more than a dollar if it makes my lender think that the price of dollar-pegged stablecoins are now worth two dollars each.  

Adam: OK.

John: Step three: I take the stablecoins that should be worth a dollar, but which look like they’re worth two dollars now because I’ve been pushing up Bob’s price, to take another flash loan where the lender thinks he’s being paid back in full, but is actually accepting just half of what I owe him since he thinks the money I’m paying him with, the not-so-stable-coin, is only temporarily worth $2.  

Adam: So by pushing up the price of the stablecoin temporarily to double its value and then paying back the loan with it, you only need to pay back half of what you owe. 

John: That’s right, and all of this happens basically instantly. While that’s not the whole story, I think at this point you can see how this attack not only worked but was pretty wildly profitable for whoever pulled it off.

Adam: So is DeFi dead?

John: No, of course not.  This is a new technology, but more than that it’s a whole new way to think about finance, who gets it, who gives it and what you can do with it.

Adam: Nobody knew an attack like this was possible because until last week it’d never happened.  

John: Yeah, and it’s important to mention that while this attack basically stole money from a flash loan provider, there was nothing about the flash loan that really failed. DeFi in general, at least for now, is sort of a Rube Goldberg machine with unrelated projects strung together to make things work. The Kyber Network, or Bob as we’ve been calling him, isn’t really related to the flash loan project at all, but he was who the flash loan people thought would be the most reliable way for them to keep track of different token prices. 

Adam: So were they wrong?

John: At least for now, getting accurate pricing information like you’d need to do flash loans is really difficult.  That’s probably a temporary problem, but for now as we see here it’s a big one.

Adam: What I’m hearing is now is an excellent time to take out a flash loan and stuff some money in Bob’s pocket, for great profit?

John: Probably not. Usually attacks like this only work once because now that we understand it’s possible, it’s a lot easier to protect against it.  But it’s not to say this stuff is safe yet, we just don’t know what the next attack could look like until someone pulls it off.

Adam: Well, John, I guess we’re sticking to our day jobs then.

John: At least for now *echoey evil genius laughter*

Adam: You’ve been listening to CoinDesk Explains: Flash Loan Attacks, we’d love to hear what you think - Send an email to podcasts@coindesk.com to lavish us with praise, complain about our inaccuracies...

John: ...or offer us boatloads of sweet, sweet money, which we’ll use to bribe Bob before paying you back instantly. We’re definitely good for it.


Adam: See you next time!

For early access before our regular noon Eastern time releases, subscribe with Apple Podcasts, Spotify, Pocketcasts, Google Podcasts, Castbox, Stitcher, RadioPublica or RSS.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Adam B. Levine

Adam B. Levine is the managing editor of CoinDesk's podcast division.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.