Introduction to the flash loan pattern and its security considerations
Hello everyone,
A few weeks ago I gave a presentation discussing the “flash loan” pattern and some of its security considerations.
This is a powerful DeFi primitive and it is good to know how it works and what to watch out for when auditing implementations of this pattern,
We don’t discuss “macro” vulnerabilities (like the recent pump and dump “hack”) because those aren’t really intrinsic to the flash loan pattern – any whale or coalition of attackers can do the same thing. Here we discuss only the security considerations that are intrinsic to flash loans. (Perhaps we can do a separate presentation on “macro” DeFi vulns that are available to whales, coalitions, and flash borrowers.)
One important security consideration I didn’t mention in the video: It is important that when the flashloan function hands control over to the borrower, the Lending contract only ever calls the execute function on msg.sender.
If the borrower can make the Lending contract call any arbitrary function on any arbitrary contract during the flashloan, then they can (among other things) drain the Lending contract of all of its ERC20 tokens.
So always check that, during the flashloan function, the Lending contract only ever calls the execute function on msg.sender.
@Austin-Williams thanks a lot for the presentation. Great stuff!
Could you please help clarify how the borrower could drain the Lending contract of all of its ERC20 tokens, if the Lending contract can call any arbitrary function on any arbitrary contract during the flashloan?
