1/ Last week, there has been a number of flash loan-related scenarios (and potential scenarios): @harvest_finance, @MakerDAO, @iearnfinance.
So, here’s a short thread on flash loans. 👇
So, here’s a short thread on flash loans. 👇
2/ Flash loan lets anyone borrow a very large amount of assets (as long as the amount + fee are paid back in the same transaction), which can be used to temporarily skew asset prices or balances.
3/ A typical flash loan attack pattern is a form of sandwich attack:
(1) Skew price/balance
(2) Main protocol uses the skewed price/balance (e.g. to open a position, deposit into AMM all at bad prices)
(3) Un-skew price/balance
(1) Skew price/balance
(2) Main protocol uses the skewed price/balance (e.g. to open a position, deposit into AMM all at bad prices)
(3) Un-skew price/balance
4/ There are several solutions that can mitigate flash loan attacks.
🚨 DISCLAIMER: The solutions are not limited to what’s presented here. Feel free to suggest/add more.
🚨 DISCLAIMER: The solutions are not limited to what’s presented here. Feel free to suggest/add more.
5/ 1st sol: Allow calls from EOA only (user addresses).
Pros:
- Attack must be split in multiple transactions -> Safe from flash loans.
Cons:
- Breaks smart contract composability.
- Flash loan-like attack can still work (attacker being at more risk)
Pros:
- Attack must be split in multiple transactions -> Safe from flash loans.
Cons:
- Breaks smart contract composability.
- Flash loan-like attack can still work (attacker being at more risk)
6/ 2nd sol: Price oracle for sanity-check.
Pros:
- The attacker can only skew prices up to a certain threshold.
Cons:
- Price update from off-chain can be front-runned.
- In some cases, attack can still be repeated to get the same profit.
Pros:
- The attacker can only skew prices up to a certain threshold.
Cons:
- Price update from off-chain can be front-runned.
- In some cases, attack can still be repeated to get the same profit.
7/ 3rd sol: Use Time-weighted Average Price (TWAP)
Pros:
- Flash loan doesn’t affect TWAP.
Cons:
- The longer the TWAP interval, the more the price delays from spot. The shorter the TWAP interval, the more prone it is to short-interval price manipulation.
Pros:
- Flash loan doesn’t affect TWAP.
Cons:
- The longer the TWAP interval, the more the price delays from spot. The shorter the TWAP interval, the more prone it is to short-interval price manipulation.
8/ @AlphaFinanceLab's first mainnet product #AlphaHomora uses a combination of onlyEOA and price oracle.
This prevents any flash loan attempt, and the price can only deviate up to a certain threshold from the price oracle, limiting how much the attacker can skew the price.
This prevents any flash loan attempt, and the price can only deviate up to a certain threshold from the price oracle, limiting how much the attacker can skew the price.
9/ This capped price skewing guarantees that the attacker cannot steal funds from the ETH lenders.
A more detailed analysis on @AlphaFinanceLab blog: blog.alphafinance.io/alpha-homora-a…
A more detailed analysis on @AlphaFinanceLab blog: blog.alphafinance.io/alpha-homora-a…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
