8 Biggest Crypto Flash Loan Attacks of All Time
The biggest crypto flash loan attacks, including the recent $197 Euler Finance attack, have been big wake-up calls to the dangers of an unregulated financial space like DeFi.
These attacks are essential to talk about because they show us the weak spots in DeFi, a part of the finance world that’s growing incredibly fast, especially if you are involved, or planning to, in cryptocurrencies and DeFi.
In this post, we’ll break down the 8 biggest flash loan attacks of all time, explaining how they happened, what effect they had on the people and platforms involved, and what we can learn from them for the future.
- Why are Crypto Flash Loan Attacks So Common?
- Here are the Biggest Flash Loan Attacks of All Time:
- 1. Euler Finance $197M Stolen in 2023
- 2. $130M Cream Finance Exploit in 2021
- 3. Beanstalk $80M Stolen in 2022
- 4. $45M PancakeBunny Exploit in 2021
- 5. Alpha Finance $37M Stolen in 2021
- 6. $25M Attack on dForce in 2020
- 7. Elephant Money $22.2M Exploit in 2022
- 8. Platypus Finance Lost Over $10M in 2023 (in 3 Different Attacks)
- The Future of DeFi and Flash Loans
Why are Crypto Flash Loan Attacks So Common?
Flash loan attacks are becoming worryingly frequent in the fast-paced decentralized finance (DeFi) space. Let’s break down why this is happening by first understanding how flash loans work and the risks they bring to the DeFi space.
How Do Crypto Flash Loans Work?
Imagine being able to borrow a huge amount of cryptocurrency for just a few moments—literally milliseconds—without needing to put up any collateral. That’s what flash loans allow you to do. They’re like a lightning-fast loan that you must pay back almost instantly.
Here’s the process in simple terms: You get a flash loan, the smart contract (which is like an automated set of rules) quickly uses these funds for specific tasks like trading or paying off a loan, and then you pay back the loan, with a little extra as fees, all in one single transaction.
If anything doesn’t go as planned, the deal is off, and the entire loan gets reversed as if it never happened in the first place.
Check out our in-depth guide on flash loans for more.
Why Are Flash Loans So Vulnerable to Attacks?
DeFi is a space where anyone can participate, and unfortunately, that includes people with bad intentions. These individuals use flash loans to carry out attacks, exploiting weaknesses in DeFi platforms.
They manipulate prices, jump ahead in line in trading (known as front-running), and take advantage of gaps in liquidity (how easily assets can be bought or sold).
The bottom line is that the very features that make flash loans innovative and useful—their speed and no-collateral policy—also make them an attractive target for those looking to exploit the DeFi system.
Here are the Biggest Flash Loan Attacks of All Time:
1. Euler Finance $197M Stolen in 2023
Euler Finance, a DeFi platform, faced the biggest crypto flash loan attack in history, resulting in a staggering $197 million stolen. Let’s break down what happened.
The Mechanics of the Attack
The platform operates with two kinds of tokens: eTokens, which represents collateral, and dTokens for debt. Users get eTokens when they deposit funds, and dTokens are involved in triggering on-chain liquidations.
This heist exploited a flaw in Euler Finance’s “DonateToReserve” function. This glitch mistakenly destroyed eTokens without affecting dTokens, leading to a misrepresentation of borrowed assets as collateralized assets.
The cunning attacker capitalized on this by creating an illusion of a deficit in eTokens and an artificial surplus of dTokens. Here’s how it unfolded:
Manipulating Euler’s Tokens: The attacker first borrowed about $30 million in DAI from Aave. Of this $30 million, $20 million in DAI was deposited into Euler, which generated an equivalent amount in eDAI tokens. The attacker then used Euler’s system to borrow ten times the value of their initial deposit.
Repaying and Re-borrowing: The remaining $10 million from the Aave loan was used to pay back some of the dDAI debt. The attacker exploited a mint function to re-borrow within the same transaction.
Concealing the Theft: After the attack, a portion of the stolen funds was transferred to Tornado Cash, a crypto mixer, making it hard to trace their origin.
For a more detailed breakdown of the attack mechanics, Chainalysis offers a comprehensive analysis.
The Unexpected Twist
In a surprising turn of events, the hacker, who identified themselves as Jacob, returned all the stolen funds and even apologized for the attack. The repayment began with 54,000 ETH (3,000 on March 18 and 51,000 on March 25) sent to Euler, followed by 7,000 ETH and $10 million in DAI.
2. $130M Cream Finance Exploit in 2021
Cream Finance, a decentralized finance (DeFi) platform offering lending and borrowing services, suffered one of the biggest crypto flash loan attacks in 2021. The attack led to a staggering loss of over $260 million from the protocol, while the hacker only managed to net $130 million.
The Mechanics of the Attack
The attack was intricate, showcasing the vulnerability of DeFi platforms to well-planned exploits. Here’s a simplified overview:
Borrowing from PancakeSwap: The attacker took a massive flash loan from PancakeSwap, a Binance-affiliated exchange, allowing them to temporarily control a huge amount of assets.
Exploiting Cream Finance’s Iron Bank: Cream Finance’s Iron Bank feature, designed to facilitate the lending and borrowing of various assets, was the main target.
Abusing Alpha Homora: The attacker made counterfeit deposits by exploiting the Alpha Homora loan pool. This tricked Cream Finance into thinking there was more collateral than there actually was. With this inflated collateral, they borrowed excessively, leading to the massive heist.
Cream Finance’s Response
Despite the scale of the attack, Cream Finance took prompt action. They rolled out a compensation plan to help users affected by the attack. Following this incident, Cream Finance strengthened its security protocols and conducted comprehensive audits to prevent future attacks.
3. Beanstalk $80M Stolen in 2022
In 2022, Beanstalk, a “decentralized credit-based stablecoin protocol,” faced a shocking exploit, marking its place among the biggest crypto flash loan attacks.
The Mechanics of the Attack
Think of Beanstalk as a digital farm. Users, lovingly called “bean farmers,” planted their beans in a virtual “field.” This helped keep the value of each bean stable at around $1. The platform allowed people to deposit other cryptocurrencies, like Ether, into a “silo.” Doing this gave them voting power in Beanstalk’s decisions – kind of like having a say in how the farm is run.
Here’s where things get tricky. An anonymous hacker saw an opportunity. They borrowed a whopping $80 million in cryptocurrency and poured it into Beanstalk’s silo. Suddenly, they had enough voting power to call the shots.
In a flash, they proposed a vote to transfer all the funds in the silo – about $182 million – to themselves. Before anyone could blink, they voted, approved the transfer, grabbed the funds, gave back their voting power, and repaid their $80 million loan. And just like that, Beanstalk’s reserves were drained.
4. $45M PancakeBunny Exploit in 2021
The DeFi world witnessed one of the biggest crypto flash loan attacks in 2021 when PancakeBunny, a popular yield aggregator platform, was hit by a $45 million exploit.
The Mechanics of the Attack
This heist was no small feat. The hacker started by borrowing a massive sum – over $700 million in Binance Coin (BNB) from various PancakeBunny pools and nearly $3 million in Tether (USDT) from another source. Equipped with this borrowed treasure, they targeted a loophole in PancakeBunny’s BNB-USDT pool.
The hacker’s masterstroke involved a clever six-step plan. They manipulated the price of BNB, which led to the creation of almost seven million BUNNY tokens out of thin air.
Without wasting a moment, the attacker sold all these new BUNNY tokens, exchanging them for about 2.4 million BNB. This massive sale caused the value of BUNNY tokens to plummet. Once the operation was over and the flash loans were repaid, the hacker left with a hefty sum of 114,631 BNB – roughly $45 million.
PancakeBunny’s Response
The PancakeBunny team didn’t just sit back. They quickly put together a plan to help users who lost out in the attack. The platform also beefed up its security and conducted thorough audits to ensure something like this never happens again.
5. Alpha Finance $37M Stolen in 2021
In a series of events that shook the DeFi sector, Alpha Finance became a victim of one of the biggest crypto flash loan attacks in 2021, losing about $37.5 million in a cunning exploit. This incident highlighted the evolving sophistication of hackers in the DeFi world.
The Mechanics of the Attack
The hacker used Alpha Homora, a platform designed for leveraged lending, as their playground. Their strategy involved repeatedly borrowing and lending through the Iron Bank, a well-known lending service.
What stood out in this attack was the complexity. Analysts believe the attacker used a counterfeit “spell” — Alpha’s term for a smart contract.
The hacker used this fake contract to alter Alpha Finance’s debt records, deceiving the Homora code into accepting their fake contract as a legitimate part of the system. This sleight of hand was central to draining millions from Alpha Finance.
An Unusual Gesture
In a bizarre turn of events, the attacker made some unexpected moves after executing their plan. They sent 1,000 Ether each as a “tip” to the deployers of Alpha and Iron Bank. Moreover, they even contributed to Gitcoin, a platform supporting open-source projects, showcasing a strange mix of criminal cunning and generosity.
6. $25M Attack on dForce in 2020
In 2020, a wild story unfolded in DeFi, making it a highlight among the biggest crypto flash loan attacks. The dForce platform, known for its money lending services, faced a $25 million attack.
The Mechanics of the Attack
This sneaky hacker found a weak spot in Ethereum’s ERC-777 token standard. This wasn’t a new trick; it previously led to the theft of over $300,000 in wrapped Bitcoin (BTC) from Uniswap. Using this gap, the hacker hit dForce’s lending platform, Lendf.Me, and snatched around $25 million worth of cryptocurrencies.
The Unexpected Twist
But here’s where things get interesting. After grabbing all that cash, the hacker had a change of heart. They decided to return the stolen money. But instead of giving back the same tokens they took, they sent different ones worth about the same amount. Why? That’s still a mystery.
This whole incident was a rollercoaster, leaving everyone scratching their heads about why the hacker took the money and then returned it in such an unusual way.
7. Elephant Money $22.2M Exploit in 2022
In 2022, Elephant Money became a key highlight in the saga of the biggest crypto flash loan attacks, suffering a massive $22.2 million loss.
The Mechanics of the Attack
The hacker’s method was nothing short of ingenious. They began by taking out a massive flash loan – 131,162 WBNB and 91 million BUSD. Then, they converted these assets into 34.244e21 ELEPHANTs, Elephant Money’s native tokens.
During the minting of TRUNK, Elephant Money’s stablecoin, the process required converting BUSD to WBNB and then using that WBNB to buy ELEPHANT. This buying spree caused ELEPHANT’s price to skyrocket. The attacker didn’t just stop at minting TRUNK; they also escalated the value of ELEPHANT.
After this price manipulation, the attacker swapped the ELEPHANT tokens for an even larger sum of WBNB and redeemed TRUNK for both WBNB and BUSD. This cycle of borrowing, minting, and swapping was repeated, culminating in a hefty profit of 27,000 WBNB, translating to around $4 million.
The Aftermath
Post-exploit, the stolen funds took a complex route, moving through different accounts, and some even landing on Ethereum or privacy-centric Tornado Cash. For a detailed analysis of the exploit, Rekt provides an in-depth breakdown.
8. Platypus Finance Lost Over $10M in 2023 (in 3 Different Attacks)
In 2023, Platypus Finance, a notable player in the DeFi space as an automated market maker, faced one of the biggest crypto flash loan attacks.
The Triple Attack
On October 12, Platypus Finance faced its first blow, losing $1.2 million. This was quickly followed by a second and third attack within the same day, draining an additional $575,000 and $450,000, respectively. Over $2 million in assets were swept away in a matter of moments.
The Recovery
Despite these staggering losses, Platypus Finance managed to claw back a significant portion of the stolen funds. By October 17, they reported recovering around 90% of the assets, reducing their net loss to about 18,000 AVAX tokens, worth roughly $167,400.
How? The hacker voluntarily returned most of the stolen funds, leading Platypus Finance to decide against legal action.
2023 has been a challenging year for Platypus Finance, marked by multiple flash loan exploits. Earlier in February, the platform suffered an $8.5 million loss, and another attack in July resulted in a loss of around $157,000.
These incidents highlight how the risks and challenges in the DeFi sector persist after a year of some of the most high-profile attacks last year.
The Future of DeFi and Flash Loans
DeFi is evolving rapidly, introducing new financial tools like flash loans. But with fast-paced innovation comes increased risk, especially in an unregulated space like DeFi.
While these quick advancements offer exciting possibilities, they can also lead to some serious problems if we’re not careful. Maintaining security in DeFi might mean slowing down the pace of innovation at times.
How the future of DeFi and flash loans pans out depends on what we’ll prioritize going forward – pushing the boundaries of financial innovation or slowing down to promote safe and secure growth. The long-term success of DeFi depends on finding the right balance between these two critical aspects.