Flash loans are a great example of how blockchains enable new types of financial transactions that either aren't possible or are very difficult to do in a traditional financial setting.
If you identify an arbitrage opportunity in the market, you can atomically borrow a large sum of money to take advantage of the price difference. You also have the added assurance that if the arbitrage opportunity goes away before you can take advantage of it, the entire transaction fails and you only lose the Ethereum transaction fee. It's essentially risk-free arbitrage.
This paper [1] dives into detail about how these arbitrage mechanics play out on the blockchain, and how both arbitrageurs and miners manipulate transactions in order to make a profit.
But the only legitimate use of a flash loan is to do some arbitrage - and there’s plenty of that in existing financial systems. All the other uses are for leveraging up theft and manipulation of markets. Well done cryptocurrencies, you’ve made a new cesspool of villainy!
Anyway, it’s not clear to me why flash loan providers are still a thing, as they seem to be open to a second layer of abuse: transaction copying / sniping:
All flash loan borrowing transactions are profitable (otherwise they wouldn’t be able to pay back the loan) - but why let the originator of the transaction keep that profit? What a sensible attacker should do is: 1) watch for flash loan transactions to be submitted by someone, then 2) quickly submit a duplicate transaction with a larger fee, but change the destination wallets to your own. That way, you get all the proceeds of a theft, and not just the loan interest rate.
Given this possibility, flash loan pools could be considered as ‘bait’ or a trap for the unwary thief...
> But the only legitimate use of a flash loan is to do some arbitrage - and there’s plenty of that in existing financial systems.
There are two main differences:
1) The atomic nature of a flash loan makes flash loan arbitrage much less risky than performing arbitrage traditionally. Doing the same type of arbitrage non-atomically may mean that you miss the arbitrage opportunity, resulting in a loss from having to pay back the loan you took out plus interest without having made any money with it.
2) Because the debt must be repaid in the same transaction, the loan is uncollateralized. As far as I know, one cannot borrow millions of dollars in the traditional financial system without putting up some kind of collateral.
> What a sensible attacker should do is: 1) watch for flash loan transactions to be submitted by someone, then 2) quickly submit a duplicate transaction with a larger fee, but change the destination wallets to your own.
This has been observed on the blockchain in practice. The paper I linked to describes the mechanics of how this plays out and what strategies competing arbitrageurs use to win these opportunities.
Flash loans can totally be (and are) attacked like you describe. In fact much of DeFi can be frontrun. Most commonly it’s large trades to AMMs, where the original buyer ends up getting significantly more slippage than they expected.
The future is likely private smart contracts like Secret (https://scrt.network/)in which the contract’s internal state and the function calls are entirely obscured using sMPC or by leveraging SGX enclaves. This makes it impossible to frontrun in most cases.
Whether an unauditable financial system is a good thing or bad thing is still up for debate.
I'm late to this thread, but this is incorrect. Flash loans are used for many things other than arbitrage/attacks. 2 examples include the ability to swap collateral/debt and the ability to migrate assets between defi protocols (migrate from aave v1 to aave v2 etc). Many of Defisavers and Instadapps features are powered by flash loans.
Per other responses, they frequently do charge a special fee (I think Aave charged around 0.09% at one point but can't find good ref right now).
One interesting thing I think is still under dev/consideration is adding the ability for MakerDAO to make "flash mint loans"(https://forum.makerdao.com/t/mip25-flash-mint-module/4400/9) -- essentially a flash loan where the caller can mint an arbitrary amount of DAI without having to back it with anything, so long as they pay it back + fee at the end.
There's a similiar idea being worked out for WETH10 (https://github.com/WETH10/WETH10#flash-loans), a project trying to make a feature update of the WETH (wrapped ether) token.
I'm honestly unsure WTH the impact of something like these would be, but would definitely prevent arbitrage from going too far out of bounds, since there would always be unlimited liquidity.
Multi-party atomic financial transactions are kinda insane.
I don't think it makes sense to handwave the cost of an option to borrow to 0 in a scenario where arbitrage is assumed to still exist. If anything is going to become perfectly efficient first it's the arbitrage ("free money!").
Borrow x amount of tokens. (Withdraw)
Call a function (i.e. Logic to handle flashloaned funds). (Call)
Deposit back x (+2 wei) amount of tokens. (Deposit)
This article [1] does a deep dive into how flash loan mechanics are structured using an actual Ethereum transaction as an example. This particular flash loan used dYdX, Uniswap, Aave, and Curve.fi.
Because of the atomicity of the transaction, there's no way to default on the loan. If you can't pay it back, you're never loaned the money in the first place.
In general the fee on a loan is based on two things: risk of default, and the time-value of money. It’s possible for the former to be zero, but lenders are losing money if they set the latter to zero.
Basically if you put $1000 of capital into the pot for making flash loans, then you are foregoing the X% / year that you could earn on interest, i.e. you are losing money.
It’s entirely possible that platforms are running these flash loans as a loss leader to drive adoption, but in a mature market and at scale, you’d expect there to be a small fee.
(Or just that the success-case fee covers the loss in the failure case, but that would break if the % of failed txns increased, so might not be a stable equilibrium. )
The time-value still comes into play in the form of eth transaction fee. If you're flash loaning to take advantage of an open arbitrage opportunity there will be other parties trying to take advantage of it, so you will pay more to get your transaction in before theirs.
For a lot of transactions like this its actually miners who can detect and rewrite these transactions to take advantage of the arbitrage opportunities first, for this reason this cost is called "miner extractable value" or MEV.
However, note this fee doesn't accrue to the lender!
> Basically if you put $1000 of capital into the pot for making flash loans, then you are foregoing the X% / year that you could earn on interest, i.e. you are losing money.
The funds aren't foregoing interest in all cases though. Ex: uniswap, curve, etc all require assets to be deposited, and pay depositors trading fees. These protocols could generate additional income by providing assets for flash loans without affecting the income received for acting as an amm.
What I struggle to understand is why the capital can be used with no fee (dydx - 2 wei). Why would someone contribute to such a pool that pays no interest as opposed to staking or lending somewhere else?
No, blockchains are not the future, they are really the reason why one transaction can happen at a time in the whole world. Even Ethereum 2.0 will have shards which will do away with this anomaly. The only reason flash loans even work with no collateral is because you can be sure nothing else is running on the “world computer” while your transaction runs, so you can roll it back with no risk except gas fees.
Vitalik Buterin: Using Ethereum is expensive, and its blockchain is ‘almost full’
He also said blockchain's 'problem' is that every computer verifies every transaction
Actually blockchains are a first-generation technology that do global consensus for every block, which literally means all transactions in the world must go through one computer in the world (the miner) although it’s a different one each time. And the situation is actually worse, since you don’t know who would mine the next block in advance, every transaction must be sent to every potential miner! Imagine if BitTorrent had every computer store and seed every movie instead of using DHT.
The ability to send or loan arbitrarily large amounts for a fixed fee is a symptom of centralization. In a fully distributed network, transaction fees would have to be proportional to transaction size!
Almost every other protocol on the Internet does not have such bottlenecks in its design. No one asks how many emails or websites can be served per second. Blockchain is trying to secure every transaction using the entire network! That is why so much electricity is wasted just to do 7 transactions per second.
The next generation of crypto will actually be able to power payments using embarrasingly parallel architecture. Until then, we have blockchain.
Ethereum is nicknamed the “world computer” for a reason. Gas fees are super high for small transactions like paying for coffee or voting in a secure election. Just one app KryptoKitties can clog up the entire network.
We built Intercoin apps on top of Ethereum (https://intercoin.org/applications) but we are not going to wait around for Ethereum 2.0 - which is blockchain also. Kik Messenger and others have long gotten off.
So far I've not seen any hint of an "embarrasingly parallel architecture" that can satisfy the safety requirements that a blockchain also does and run smart contracts. I'd be happy to read up if you can point me to any research or projects that I've missed.
I wonder what are your thoughts on Avalanche (https://www.avalabs.org). They claim to offer throughout of 4500 TPS and smart contracts with EVM compatibility. Make sure to check the whitepaper for the protocol consensus, it's supposedly a novel thing and there are a some knowledgeable people behind it.
In my opinion al these other projects are just getting attention because Ethereum is struggling with throughput right now. Once ETH2 is released, or even before that with L2, all these other projects will become pointless.
Ethereum has so much network effect that these other projects need to actually pay people to use them over Ethereum. Not to mention they're also more centralized.
I agree to some point. Though, Ethereum doesn't have time to wait for Eth2 imo as it will take years before it's fully released. So it will have to rely on l2 scaling until then.
A lot of other platform projects are providing bridges which makes it possible to use those projects as some sort of an L2 for ethereum. If a lot of dapps starts migrating to those instead of to native L2 solutions it can get ugly.
Will definitely check it out! This space is really home to many interesting projects (including our own) to have alternative architectures. The trick is how to remain compatible with EVM since most of the developers targeted it.
However, the actual technical research paper with rigorous mathematical proofs is still going through peer review, but if you email me I am happy to share it with you.
What do you think of David Chaum's xx? Each transaction only sent to end charged by a random pool of 5 nodes that reshuffles every 10 seconds. Throughput scales linearly with network size.
Really, what you need is a distributed hash table (like MaidSAFE), or randomness beacons (like Algorand) to select a subset of the network. This paper shows mathematically that the probability of a double-spend goes down exponentially with the number of notaries, and having the entire network secure every transaction, no matter the size, is wayyyy overkill:
So in other words you're shitting on Ethereum as a reason to shill your own coin since there'd be no reason for your coin unless you make people believe Ethereum is garbage? Ethereum is moving to proof of stake and there's also L2 networks. There, problem solved.
Yeah, I am saying global blockchains are a first generation technology. Sorry it hurts your feelings. I would like to also “shill” MaidSAFE and Solana:
Vitalik Buterin: Using Ethereum is expensive, and its blockchain is ‘almost full’
He also said blockchain's 'problem' is that every computer verifies every transaction
Actually Ethereum 2.0 should be “fast enough” for many applications. It’s still going to be doing a global consensus, but at least it will be able to handle actual real world usage - people paying for coffee, let’s say, or voting in elections.
In fact, a major reason that so many ICOs from 2017 were considered scams is that the tokens could not actually be used for their intended purpose. Teams like Kik Messenger discovered this early on and moved away:
I don't think anybody wants to pay capital gains taxes when purchasing things with cryptocurrencies. Fortunately there are countries with a sane tax policy regarding cryptocurrencies where you don't pay taxes on cryptocurrencies, such as Portugal [0]. Maybe Americans should be pressuring their government for changes to the laws so cryptocurrencies can be useful for payments like they were originally intended?
>>The only reason flash loans even work with no collateral is because you can be sure nothing else is running on the “world computer” while your transaction runs, so you can roll it back with no risk except gas fees.
The more important reason flash loans work on Ethereum is that Ethereum runs programmatic contracts that can take the output of a function call from a different contract as their input. This is something that doesn't exist outside of the world of smart/programmatic contracts.
The blockchain just provides the immutable ordering of transactions and credible neutrality of access-control needed for the state of programmatic contracts to accrue value.
Even if there can be parallel computation a flash loan can still occur. The concept is borrowing a huge sum of money for a split second to take instant advantage of an opportunity. This can happen outside of a single threaded VM model.
Well, yes but only if all the smart contracts that are being called are on the same shard. Ideally under Ethereum 2.0 these assumptions will disappear. In fact Ethereum 2.0 should be “fast enough” for most applications.
The next generation of crypto will actually be able to power payments using embarrasingly parallel architecture.
Been hearing that for years. Anyone yet have anything running that allows a digital currency to scale without being vulnerable to the attacks Bitcoin can resist?
Nano is the only currency that is capable of hundreds of transactions in a second without fees, and runs in a trustless and decentralized mode (https://nano.org)
For the time being, no one has found vulnerabilities in it.
Not that I know of. From the mainstream ones, Ripple and Stellar come the closest. MaidSAFE has been in development since 2006 and is launching soon.
What can I say, the first generation of any technology is laughably inadequate as a replacement for what came before. That is why for example hardlh anyone uses Bitcoin in everyday transactions and why we still don’t use technology to secure voting, but that will change. As an aside, I don’t think blockchain is the best technology for voting but it’s the buzzword that people understand:
It's not good, on the other hand it can easily be better than the monstrous only-working-by-accident software some government contractors can come up with.
The Flash Boys 2.0 paper I linked to in my original comment provides some detail as to how these opportunities are identified and exploited by competing arbitrageurs.
Smart contracts are basically code that can execute and directly interact with cryptocurrency and crypto-tokens. This code is executed atomically; every block; and the entire namespace of Ethereum is callable allowing you to pull together any other contracts or platforms.
> It looks like neither attacker was able to cash out,
What makes you say that?
If they wanted to, they could simply send the funds back to Tornado Cash, which is basically Zcash-running-on-Ethereum-EVM. The seed funds to run the attack came out of Tornado Cash. It's liquid enough to handle a deposit this size, although it probably wasn't liquid enough back in May.
EDIT: The article linked by qqii [1] is much better and actually answers all these questions. In short, the smart contracts to allow the loan and to allow the 5x leverage position were totally buggy.
I used to do some work on Bitcoin, but this all reads like some Cirque du Soleil fever dream.
These market making smart contracts will trade at 50% swings within a single block?
> The core of this trade utilises a margin trade on a DEX (bZx) to increase the price of WBTC/ETH on another DEX (Uniswap) and thus creates an arbitrage opportunity. The trader then borrows WBTC using ETH as collateral (on Compound), and then purchases ETH at a “cheaper” price on the distorted (Uniswap) DEX market. To maximise the profit, the adversary then converts the “cheap” ETH to purchase WBTC at a non-manipulated market price over a period of two days after the flash loan.
So we start with a flash loan of ETH, go through two smart contracts to end up holding 112 “WBTC” against their borrowed 5,500 ETH.
> In steps 4 , the trader opens a short position for ETH against WBTC (on bZx), with a 5× leverage.
I’m having trouble parsing this sentence. What exactly does this mean?
> Upon receiving this request, bZx transacts 5,637.62 ETH on an exchange (Uniswap) for only 51.35 WBTC (at 109.79 ETH/WBTC).
What does ‘transacts’ mean in this sentence? And bZx is offering an anonymous trader 5x leverage... based on what?
I think they are selling ETH to buy WBTC which blows out the order book and ends up crashing the price of ETH from 30ETH/WBTC to 100ETH/WBTC?
> Note that at the start of block 9484688, Uniswap has a total supply of 2,817.77 ETH and 77.09 WBTC (at 36.55 ETH/WBTC).
I’m not sure why the total supply on Uniswap of each token is expressed as a price?
The trader then converts 112.00 WBTC to 6,871.41 ETH at 61.35 ETH/WBTC on Uniswap. Recall they started off by getting 112 WBTC for 5,500 ETH.
> In step 6 the trader pays back the loan, paying a 1×10^11 Wei fee. Note that dYdX only requires a fee of 1 Wei.
No idea what Wei are or what the significance is of why they would pay 100 billion of them instead of 1, where they come from or how they are accounted for in the profitability.
> After the flash loan transaction (i.e. the first part of this pump and arbitrage trade), the trader gained 71.41 ETH...
Wait, I thought they had netted ~1,209 ETH, where does this 71.41 come from?
> ...and has an over-collateralized loan of 5,500 ETH for 112 WBTC (49.10 ETH/WBTC).
What happened to the 5x leveraged short position?
And how in the world did they coordinate all of these separate and interlinked orders to execute in multiple transactions all in the same block in an atomic fashion?
Anyway, in the end they need to give back the WBTC by buying WBTC with the ETH they netted;
> In total, the adversarial trader exchanged 4, 377.72 ETH for 112 WBTC (at 39.08 ETH/WBTC) to redeem 5, 500.00 ETH. (over the following two days)
Look... whatever people are out there building on these networks, this is just bizarre.
Full disclosure: we're building a protocol for better decentralised markets, which is not susceptible to this kind of exploitation [1].
The thing where the “market” smart contract will just take the money and blindly trade at ever more ridiculous prices (because it’s just two pools of assets and a dumb formula) is crazy. I don’t expect it to last too long in the wild (at least at any scale, obviously some smart contracts that exist now will technically be around forever) or make it into many real world uses of the tech.
Well functioning markets have protection against extreme price moves, including flash crashes, whether caused by flash loans or other algorithms.
It might even turn out that good decentralised markets end up being resistant to atomically chaining trading transactions with other actions generally.
I find it helpful to look up the definitions of terms I'm not familiar with.
Anyhow, wei are a unit of gas, since you usually pay for gas in ETH you can just think of it as paying small amounts of ETH.
For the Uniswap price question, just look up the formula.
Leverage is provided presumably against some collateral.
You chain contract calls to make them execute in the same block. It's more of a side effect of how time works when dealing with blocks rather than something you have to try hard to do.
The other "fun" thing that people are getting into now is front running transactions in the mempool. This is giving rise to a poorly named term, MEV (miner extractable value). The concept of doing arb on that is fascinating and we will start to see projects offering private mempools to prevent this, more and more in 2021.
Assuming we have a miner intelligent enough to detect all arbitrage transactions. What prevents the miner from paying $2000 for the transaction? I'm asking because that would mean "MEV" would always be 100% of the arbitrage opportunity.
(just to be clear I am not selling a magical money making machine, what you will learn is the process of building an arbitrage bot, and you will still need to do some work to make some profits)
The easiest way to mitigate this is to require two-phase commits on any transaction above X% of the pool.
A flash loan requires that the funds be returned before the end of a transaction. If removing funds is a two-step process, then by definition you can’t use attack it with a flash loan.
Of course there’s always the possibility of someone with that much capital to stake attacking. But the number of participants with $50 million in funds lying around is a lot less than the number with $0. It drastically shrinks the attack surface.
the problem with defi hacks, from the perspective of the hacker, is you get a bunch of eth, which is a lot harder to hide and launder than BTC. As the saying goes, in crypto, your wallet is the bug bounty.
I think you are few years behind from current state of the ecosystem. You can easily go from Eth -> renBTC (on Ethereum) -> BTC (on Bitcoin chain). None of those steps require KYC/AML or any kind of registration. You can move 100s of millions of dollars that way with very minimal slippage or fees.
It is very easy these days to go between Eth <-> BTC without any KYC/AML.
In most cases yes, at some point the attacker will want to turn his tokens into cash and at that point he is at the mercy of centralised services who gets to decide.
As long as there are enough centralised services with enough volume that agree such tokens are tainted the decision is effectively made for the entire ecosystem.
Legally, intent matters, a contract is above all "a meeting of minds", and the technical nuances of what exactly the smart contract says only matter if it helps to establish what exactly that intent was - if the contract result clearly does not match the intent (or if the intent is invalid e.g. the contract was written with an intent to deceive) then what the contract says can/should be overridden.
Just as in real life getting someone to sign on the dotted line with the intent to cheat them is fraud that can invalidate the contractual obligation, technical exploitation of a smart contract is the same. As you say, it might not even be illegal, details matter, but it might also well be a felony.
I don't think "everybody thinks" that. Smart contracts just give you an alternative set of risks which might be more useful in certain circumstances. They are also not immune to having legal consequences either.
The biggest problem wouldn't be breaking the chain but the final step of cashing out. A regular exchange requires KYC for large amounts.
Although P2P Crypto/Cash exchanges exist (local{bitcoins, monero}) most simply don't have the volume and still leaves the question of where the money came from.
KYC exchanges don't really exist anymore because they were abused in 2017 and thus either forced to close or comply with regulation (such as the wannacry ransomware virus, in which the criminals laundered their BTC into monero on shapeshift, which at the time had no KYC). Second, cross-chain exchanges may not be possible in a fully trustless manner.
read the whole thing. KYC only dropped for ERC 20 transactions , which uniswap already does and is not the same as a cross-chain transaction. The abiltiy to exchange erc 20 tokens is native to Ethereum.
Why would it be harder to launder? The average bitcoin transaction is up to 17 USD, even combining addresses or tumbling is going to eat into your balance.
Not the parent poster, but as a programmer I think it was an oversight to not formally define the VM. To me, this seems like a poor foundation to build resilient applications atop of.
EDIT: And when I mean formally define, I mean something that is machine-checkable so implementations would have a conformance suite.
I actually hadn't considered this issue at all until you mentioned it, but was aware that one of Cardano's selling points is a focus on verifiability (e.g. via their Haskell-based Plutus language for smart contracts), and came across this IELE after a quick search through their materials.
WASM couldn't be ported over to Ethereum because it isn't, so eWASM is being developed as the deterministic subset of WASM, for possible use in Ethereum.
I don't understand why only scam projects succeed in the crypto space. It's seems like investors are intentionally choosing projects that are scams, which are inefficient, which are lying about their features...
Honest projects which actually deliver are ignored completely.
Do these wealthy investors look at a project and consciously think "This will make a great scam, I'm going to invest!"...
Or they think it's a legitimate project and the scam aspect only appeals to them at a subconscious level?
