Somish Blockchain Labs

All About Smart Contract Auditing – All You Need to Know about DeFi and Flash Loans (2020)

Share on facebook
Share on google
Share on twitter
Share on linkedin
Podcast episode 04

Decentralized Finance (DeFi) is in the middle of a hot run having very recently touched the $2 bn benchmark. The hype around DeFi refuses to die down with more and more people amping up the activities in yield farming. DeFi has been dominating the headlines in the crypto-verse since February for good and bad reasons alike. 

Flash loans, an innovative financial product in the DeFi space was exploited as evident in bZx attack in Feb of this year, 2020. This has made DeFi and bZx in particular, a bone of contention amongst the crypto traders, investors and people working in the DeFi space. This also spurns out 2 distinctive schools of thoughts when it comes to Flash Loans.

BUT…. What exactly are Flash Loans? Why are they suddenly so relevant? What happened in the bZx attack and does it mean the end of the road for DeFi? And, the most important question: “Are Flash Loans really attacks or is it just FUD masquerading as a legitimate criticism?

Nitika & Ish Goel sat down for a discussion and addressed all these questions in detail during our podcast. You can watch the podcast here and while you are at it, please don’t forget to subscribe to our Youtube Channel.

Here is the written transcription of the podcast:

Ish Goel: Hey guys, my name Ish Goel and I’m the CEO at Somish Blockchain Labs. We are back for our fourth episode of the All About Smart Contracts podcast, and I’ve got today again with me, Nitika who will be talking about flash loans in this episode. So guys, flash loans have suddenly, I mean, in February they eventually kind of became very famous for good and for bad reasons.

We are going to talk about flash loans in this video, in terms of what really flash loans are ? Why are they suddenly so relevant? We’ll talk about the bZx attack. And, in the end, if you watch the video till the end, there is one thing which we are going to talk about, which is very interesting, probably the most interesting part is flash loans really an attack on smart contracts? 

So, I think the community is split into two opinions, whether they are actually attacks or whether your smart contract should actually be able to handle the flash loans. So let’s get started, the first question Nitika that I want you to answer for us and our audience is what are flash loans?

Nitika Goel: So, like the name suggests flash loans are loans, which are there for a flash of time only.

Ish Goel: Okay. 

Nitika Goel: Generally, we have loans and need collateral before we actually borrow money. In flash loans, the concept is, without collateral, I’m able to borrow money provided I return the money in the same transaction.

Ish Goel: So, it’s like an uncollateralized loan. 

Nitika Goel: So, I can borrow like a huge sum of money, I mean, because I don’t have to repay it literally. 

Ish Goel: Because you’re  repaying in the same transaction. 

Nitika Goel: Yes, so this is majorly used today for like arbitrage opportunities or the different kinds of attacks that have just happened in the past, where people in a flash make a lot of money, 

Ish Goel: …but still, I mean, how would you explain this to a layman? So, typically when you go out in the traditional world to take a normal loan, where you are providing some kind of a collateral, the interest rates are kind of lower. But in an unsecured loan they generally tend to be higher, in this case how does it work? and when you say that, the loan has to be returned back in one transaction, what does it exactly mean? How can the loan be returned? 

Nitika Goel: Yeah, so I’ll borrow some money. The smart contract is willing to give me an amount of money, I can do whatsoever I want with the money in the same transaction, I execute a large set of transactions as an a large set of function calls two different project protocols, whatever it is, 

Ish Goel: Let’s take an example, how can you borrow a flash loan? Can you give some examples on that? 

Nitika Goel: There are protocols today like dYdX, Aave, which allow flash loans in the market. They have, quite some liquidity where you can borrow actually huge amount of money and execute these. 

Ish Goel: How does it work? So you go on the platforms? 

Nitika Goel: Yes, so it’s all via smart contract. You write a smart contract where you borrow money from the supposed dYdX contract, you execute some set of transactions, for example, you see an arbitrage opportunity like the price is higher on one protocol and it’s lower on the other. You perform those transactions. You’ve made some money out of the arbitrage.

So that’s what you keep and the rest is what you return back to the dYdX Protocol. So it’s all in the same transaction. In case you’re not able to make use of the arbitrage opportunity or circumstances have changed, somebody has front run your transaction, the transaction will fail. So basically, if you don’t return the money in the same transaction, the transaction will not go through at all.

Ish Goel: So, is it similar to leverage trading? Like when you take a leverage by having a small amount of money, but you take a high leverage, let’s say five X and then you put a buy all around some specific asset. So, is it similar to that? 

Nitika Goel: So, even leverage would require some collateral, and it is not subject that you have to return it immediately. Flash loans are a different concept because you are borrowing without a collateral and why is it possible to take a loan without the collateral, because you are bound to return in the same transaction. It’s Ethereum which is securing, you know, the smart contracts in Ethereum are securing this that if at all, you’re not able to return the money in the same transaction the transaction will go through.

So, that’s how it’s different from a regular margin trading or leverage or whatever you’re talking about. 

Ish Goel: But, how have they become so relevant today? Like everybody keeps talking about flash loans. We all know there was an attack back in Feb. Why are they so relevant today? 

Nitika Goel: Honestly, if we actually see the DeFi world, we can now see there’s an exponential growth in the amount of Ether being locked up in different protocols.The number of protocols have increased, the amount which is locked is increased. So now firstly, you have liquidity in the market where you can borrow. 

Ish Goel: Of course,

Nitika Goel: Then you have protocols which are enabling you to borrow. All of these did not exist sometime back. So you need somebody to, you know, give you the money to perform these flash loans, the different kinds of projects that we have now, they are making this possible and the recent attack on bZx, in February. So, it was like a huge amount of money, more than $300,000. So that’s the kind of, you know, opportunity that people can now see with flash loans. 

Ish Goel: So let’s talk about the bZx attack now I think we’re all interested to know what really happened. 

Nitika Goel: This is quite a complex one, so I’ll just take a shot at it. So, what happened was that, there’s a protocol called dYdX, which is a lending protocol and allows flash loans. So the attacker used dYdX to borrow 10,000 Ethers under a flash loan, so resulting that, at the end of the transaction, he had to return 10,000 Ether back to dYdX.

Nitika Goel: So, he wrote a piece of code, which triggered a transaction on the dYdX  protocol and essentially… the first step was to borrow 10,000 worth of Ether. 

Nitika Goel: Now, out of those 10,000, he took 5000 and put that as a collateral on compound, which is another protocol for lending

Ish Goel: A compound finance. Right? 

Nitika Goel: So, and he borrowed 112 WBTC against those 5000 Ethers that he just deposited as collateral.

Ish Goel: The second step, out of the 10,000 Ethers that he took as a flash loan, 5000 were deposited as a collateral on compound finance against which he took 112 WBTC.

Nitika Goel: So now he has 112 WBTC at his disposal and 5000 Ether left. Now, out of the 5000 that are left, he took 1300 Ethers and he took a short position on bZx or Fulcrum basically, and that is where the trick happened. 

Ish Goel: Okay. 

Nitika Goel: So, when he took a short position, he took a five X leverage. So this was again, the Eth-WBTC pair. 

Nitika Goel: So he took a short position on Ether.

Ish Goel: So basically he said that, the price of WBTC is going to go up. So he took a five X leverage with 1300 Ethers which is again, a huge amount. 

And he said that Ether price is going to go down. WBTC will go up and he’s saying Ether is going down, okay.

Nitika Goel: Now, the bZx protocol is a huge amount of money, this resulted in actually a transaction where, the bZX protocol sold 5637 Ethers. Five thousand six hundred and thirty seven Ethers for WBTC. 

Ish Goel: The protocol sold it off.

Nitika Goel: Yeah, the protocol routed it via Kyber which again, internally routed it via Uniswap. So basically the exchange happened on Uniswap. This resulted, because there is less liquidity and the amount is high, so this led to price slippages and it resulted in the price of WBTC shooting up to three times. Now this guy had 112 WBTC, so he sold off his 112 WBTC at 3x the price. Now, all of this resulted in profits for him. He returned the 10,000 that he had borrowed from dYdX, and he closed his flash loan, overall resulting in $350,000 plus profits.

Ish Goel: For the attacker, this wasn’t exactly a direct profit on a…

so, essentially the entire amount ended up being a $350,000 worth of Ether. So guys now is the most interesting part of this episode, as I promised in the beginning, we had to talk about this whole confusion around flash loans. Whether they are actually attacks or should smart contracts be capable of handling flash loans?

Nitika Goel: The audience is divided here. So there are people like you said, who don’t think that this is an attack because, whatever the attacker did, eventually followed whatever was written in the smart contract, the smart contract was not built in a way to handle such huge amounts. So that was where the problem actually happened. 

There could have been mitigations and definitely, like in future people building such things are taking care of these things from day one, so basically did it do something which was not intended to do. 

Ish Goel:  No.Not really. 

Nitika Goel: There are arbitrage opportunities everywhere around in the system and there are protocols which actually depend on these.

So for example, when the attacker sold his WBTC, the price again fluctuated, right? Because now he’s selling such a huge amount of BTC into the system. And it was the arbitrage opportunity that people saw that balanced the price again. So protocols are also dependent on such arbitrage opportunities to balance the ecosystem.

I think the important thing is that, the protocols, all of these lending or defined protocols that are coming up, should be made in such a way that they can handle such attacks. We cannot stop attacks, in fact, these will actually bring in more people to DeFi because it will attract more people.

Ish Goel: Yes. So, flash loan proof contracts should be the thinking of  the developers.I think from an audit perspective, if you want to correlate, I think this is one of the big things that you also spoke to me about offline, smart contracts essentially, when we audit, we are looking at how they are handling flash loans.

And as you said, I think making sure that the smart contracts are flash loan proof is what is required. 

Nitika Goel: So the new protocols they’re all interrelated.  There’s not one protocol which will be performing its logic individually. We are dependent on other protocols for prices. We are dependent for trades that are X, Y, Z points of interaction between two protocols and the DeFi sphere.So, you know, things like these need to be taken care of. 

Ish Goel: Cool guys, so that’s it from our fourth episode of the All About Smart Contract Audit Podcast Series, we had an excellent session on flash loans today. 

Thank you so much for watching this video. We’ll be back soon with our next video as well. 

If you are in this space, and if you are starting to write smart contracts or finishing up your DeFi product, now is the time to get ready for your audit.

So please get in touch with us. We are more than happy to talk you through how audits work and make sure that potentially we are able to work together. 

I’m going to ask Nitika to urge you to subscribe to our channel, so Nitika do the honors, they are not listening to me, they’re watching our videos, but not subscribing to our channel. So go ahead and make your pitch 

Nitika Goel: Guys, please do subscribe to our channel, like and share this video and do leave your comments in the comment section below. 

Ish Goel: Thank you so much for watching. Bye bye now.


Talk To Our Experts


 let us know your requirements below and we’ll get back to you instantly to schedule a call!  


Share Your Comments

Join Our Newsletter

Recent Posts

Follow Us

Get A Free Quote From Us

Download Sample Report

Download Sample Report

Contact Us

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.