Professional Documents
Culture Documents
This Billion-Dollar Crypto Loan Is Easy To Get, But Gone in A Flash - WSJ
This Billion-Dollar Crypto Loan Is Easy To Get, But Gone in A Flash - WSJ
This Billion-Dollar Crypto Loan Is Easy To Get, But Gone in A Flash - WSJ
This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers visit
https://www.djreprints.com.
https://www.wsj.com/articles/this-billion-dollar-crypto-loan-is-easy-to-get-but-gone-in-a-flash-11651985089
This Billion-Dollar
Crypto Loan Is Easy
to Get, but Gone in a
Flash
Flash loan has become a potent tool for
crypto hackers
A hacker who robbed the decentralized stablecoin platform Beanstalk in April had
a powerful tool: a $1 billion loan taken out with no collateral, no proof of income
and no identity verification. The loan had to be repaid in less than a second, but
that was all that was needed to steal tens of millions of dollars.
The hacker used what is called a flash loan—a cheap, instant and anonymous form
of financing based on cryptocurrencies.
Such flash loans have beneficial uses, including help for traders trying to
capitalize on price differences between cryptocurrencies on different exchanges.
In that sense, they are much like the financing that an investment bank might
provide to an investment fund to make bets on different stocks or currencies.
But flash loans also have a dark side. There has been a string of recent thefts using
flash loans. In addition to the theft Beanstalk disclosed last month, a
decentralized- finance platform called Rari Capital said a hacker used a flash loan
to help steal about $80 million from it. And Cream Finance said in October a
hacker used a flash loan to help steal about $130 million from its platform.
1 of 4 2022/05/18 18:46
This Billion-Dollar Crypto Loan Is Easy to Get, but Gone in a Flash - WSJ https://www.wsj.com/articles/this-billion-dollar-crypto-loan-is-easy-to-...
Services such as borrowing and lending are handled by “smart contracts,” pieces
of code that are written to automate an agreement. These take the place of a loan
or bank application that would be used in traditional finance.
Flash loans aren’t a retail tool, though. To use a flash loan, someone needs to be
able to code a contract and execute it. The flash-loan portion of the Beanstalk
hack, for instance, involved nearly two dozen steps.
That is not a lot of time. But in an automated world it is enough to make a trade.
The smart contract has conditions written into it that guarantee repayment. If the
borrower doesn’t repay the loan, the contract voids the transaction before it is
confirmed, along with whatever market maneuver it was tied to. It is as though
the loan never happened and so is an all or nothing proposition. Because of this,
there is essentially no credit risk to the lenders.
And because there is no credit risk, the amounts that can be borrowed are limited
only by how much capital is held on a specific DeFi platform. Aave, for instance,
has about $21 billion of liquidity across its services, held in a variety of
cryptocurrencies.
In theory, flash loans allow people to use borrowed funds the way financiers do in
traditional markets, akin to how an activist investor would use financing to
acquire a company, or the way George Soros used borrowed money to bet
famously against the British pound.
But the speed of them, the lack of collateral required and the anonymity allowed
make them very different in practice. “They open up the potential for things that
you wouldn’t even be able to do in the traditional markets and weren’t possible in
2 of 4 2022/05/18 18:46
This Billion-Dollar Crypto Loan Is Easy to Get, but Gone in a Flash - WSJ https://www.wsj.com/articles/this-billion-dollar-crypto-loan-is-easy-to-...
crypto before,” said Max Galka, the founder and chief executive of the crypto-
analytics firm Elementus.
There are several DeFi platforms that allow flash loans, but Aave, where the loans
originated, is the biggest. Since 2020, Aave has processed 52,000 flash loans
totaling $15.6 billion in market value, according to Elementus. Borrowers pay a
small fee for the loan.
For coders who understand how to use flash loans, the potential for malfeasance
is huge, said Hassan Bassiri, a fund manager at the crypto-focused investment
manager Arca. Because DeFi is such a new field, many services have poor security
or badly written code, or both, making the potential for abuse even greater.
“You’re not going to make $80 million in 30 seconds of work doing arbitrage,” Mr.
Bassiri said. “There’s so much more profit in the nefarious uses.”
A day before the attack, the hacker made a proposal to send money from Beanstalk
to Ukraine as aid, though the code directed instead to a wallet the hacker
controlled.
The Beanstalk hacker borrowed $1 billion in a flash loan on the Aave platform, in
several different crypto denominations, which the hacker used to buy into
Beanstalk and momentarily take control of the voting mechanism. Beanstalk’s
founders declined to comment. Aave didn’t reply to a request for comment.
In the instant of the attack, the hacker had to do several things in rapid fashion
with a computer program: take out the flash loan, buy enough tokens to give the
person a voting majority, and vote to approve the proposal from the previous day.
Then the hacker sent the funds to another location and sold out of the Beanstalk
3 of 4 2022/05/18 18:46
This Billion-Dollar Crypto Loan Is Easy to Get, but Gone in a Flash - WSJ https://www.wsj.com/articles/this-billion-dollar-crypto-loan-is-easy-to-...
The result: The hacker drained about $76 million of cryptocurrency in the blink of
an eye.
Appeared in the May 9, 2022, print edition as 'Loan Hackers Score $76 Million in a Flash.'
Copyright © 2022 Dow Jones & Company, Inc. All Rights Reserved
This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers visit
https://www.djreprints.com.
4 of 4 2022/05/18 18:46