Flashloans. Part 1

Flashloans were a very wild thing in 20/21. A lot of exploits were caused by flashloan opportunities, and back then, the term “flashloan” was scary. If you are a DeFi investor feeling the same way today as we felt back then, there's absolutely no reason for this. We will explain everything you should know about a flashloan:

Many protocols such as AAVE’s lending pool implement a flashloan function, which is callable by anyone and works as follows:

1. Call flashloan function

2. Receive tokens

3. Execute logic upon the callback

4. Repay tokens

This is the usual process. Let’s take a look at AAVE’s implementation:

As we can see, first the fee is determined, then the user will receive the tokens, then the callback is executed which allows for arbitrary operation and expects the user to transfer tokens + fee back. Afterwards the proper balance is checked.

On a sidenote, a few things as an auditor to check:

1. Bypassing of balance check.

2. Execute a deposit on the underlying protocol during the callback which increases the balance but grants user a deposit receipt.

3. Unupdated state of vault/pool, as example the amount which is transferred out is not reflected in a reserve deduction.

4. Potential abuse of the fee logic, achieve an abnormal increase of the fees such that another spot in the protocol can be abused.