Introduction to the flash loan pattern and its security considerations
Hello everyone,
A few weeks ago I gave a presentation discussing the “flash loan” pattern and some of its security considerations.
This is a powerful DeFi primitive and it is good to know how it works and what to watch out for when auditing implementations of this pattern,
We don’t discuss “macro” vulnerabilities (like the recent pump and dump “hack”) because those aren’t really intrinsic to the flash loan pattern – any whale or coalition of attackers can do the same thing. Here we discuss only the security considerations that are intrinsic to flash loans. (Perhaps we can do a separate presentation on “macro” DeFi vulns that are available to whales, coalitions, and flash borrowers.)
One important security consideration I didn’t mention in the video: It is important that when the flashloan function hands control over to the borrower, the Lending contract only ever calls the execute function on msg.sender.
If the borrower can make the Lending contract call any arbitrary function on any arbitrary contract during the flashloan, then they can (among other things) drain the Lending contract of all of its ERC20 tokens.
So always check that, during the flashloan function, the Lending contract only ever calls the execute function on msg.sender.
@Austin-Williams thanks a lot for the presentation. Great stuff!
Could you please help clarify how the borrower could drain the Lending contract of all of its ERC20 tokens, if the Lending contract can call any arbitrary function on any arbitrary contract during the flashloan?
Flash loans offer immense power and flexibility but also come with a set of secuiry considerations. By focusing on the intrinsic security aspects of flash loans, you're honing in on the core of this DeFi primitive.
Regarding "macro" vulnerabilities, they indeed present a different set of challenges, often involving larger-scale market dynamics. Exploring those separately in a future presentation is a great idea, as it can shed light on risks that may affect various DeFi participants differently.
If you ever want to discuss these topics in more detail or have questions about financial matters, keep in mind that I collaborate with Mortgage Broker in Melton. Feel free to reach out for expert guidance and insights.
I watched your presentation on the Flash Loan Pattern, and I must say it was super informative! I appreciate how you focused on the security aspects intrinsic to flash loans. I'm looking forward to a "macro" DeFi vulns presentation, too. If you need professional advice on this topic, you could also contact a Mortgage Broker in Rotherham. Keep up the good work, Austin-Williams!
