Protecting Against Flash Loan Attacks
Understanding the basics
Flash loans have long been a source of contention for DeFi projects. Flash loans are uncollateralized loans that are borrowed and paid back within the same block. Flash loan exploits rely on the constant product automated market maker (AMM) features of DEX liquidity pools, along with naive smart contract engineering on the part of the victims.
There are a number of tried-and-true methods to disrupt or prevent flash loan attacks, including making sure smart contracts are not reentrancy-prone, adding time-locks or delays to token conversions, and, most importantly, not using DEX LPs as price oracles. Attacks using flash loans typically focus on influencing the DEX LPs that on-chain spot price oracles use to determine prices.
Additionally, the use of a single price oracle, more specifically a DEX LP, makes protocols especially vulnerable to flash loan attacks. The exploiter obtains a sizable loan and uses it to influence the value of the assets in the LP before capitalizing on the price impact and quickly liquidating their position. Issues with flash loans are nothing new.
Elephant.Money has implemented three strategies to defend against the threat of flash loan attacks.
- Implemented a TWAP Oracle
- Implemented a 3-block delay in the minting process
- implemented a queued redemption system with limits on how much can be redeemed daily