What is a Flash-Loan Attack? 🚨
You may have heard of recent exploits on the BSC network known as “Flash-Loans” or “Flash-Loan Attacks”. We briefly spoke of how this exploit differs from a “Rug-Pull” in our last medium article why BSC needs Insurance. 🚨
Flash-loan attacks are quickly becoming a very serious issue in the BSC ecosystem. The attack is comprised of a cyber-thief taking out a flash loan (a form of uncollateralized lending) through which various exploits can manipulate the market in their favor.
This exploit functions through a logical fault in the token contracts and not via a hack. What does this mean? This doesn't technically break any rules.
Flash-loans attacks function via unsecured loans requiring no credit check, collateral or borrow limit as long as you can pay back the loan in the same transaction.
What? Why is this needed? Unfortunately (or fortunately?) much of modern finance relies on arbitrage bots and other forms of tech that rely on this instantaneous and automated nature.
With respect to blockchain technology, we tout our environment as a having a “trustless” nature, therefor this type of immediate, lock & key transaction is inherent to the nature of the network.
As mentioned, these flash loans aren’t actual “hacks”, but are comprised of individuals borrowing large amounts, then buying and selling large sums of a target token to manipulate the price.
How much did PancakeBunny lose in this attack? Nearly 200 Million USD from the Pancake Bunny exchange.
If PancakeBunny was the first victim of the Flash-Loan exploit, who was next?
Bogged Finance. The 2nd victim of note to have their token price manipulated through this exploit:
It is to be mentioned that it does not appear the attacks are uniform, and the although a flash-loan is required to proceed with the adverse liquidity event, other aspects such as minting functions of contracts appear to be manipulated to some degree as well.
As a result of these incidence, Coingeck is now providing dual warnings for rug-pulls and flashloan events for affected tokens.
An additional flash loan exploit occurred recently involving AutoShark Finance. The exploit followed the typical flash-loan attack method of using BNB and BNB/Token Pairings to drain the liquidity of the pools.
“Exploiter used $36,800,000, 100,000 BNB for the attack, and approximately 2,500 BNB was exploited — $822,800. 100,000,000 SHARK tokens were minted and used to drained all the liquidity in the LP pool because our token market cap was small (only at $2,000,000 approx) SHARK tokens, which are sold immediately via 1inch -> AnySwap.” -CoinMarketCap
Lastly we have BurgerSwap. We are seeing this type of manipulation now increasing in frequency:
As this is not considered a hack, pre-existing code deployed on the BSC network is highly susceptible to attacks.
Pancake is offering some advice for token devs to immediately take action now and in the future:
It will be impossible for this to be the last I write about this topic, but this is where I must leave off. The onus is now on token devs to quickly remedy these issues, and for securities and insurances to be made readily available to protect investments. 🍪