{"id":763,"date":"2025-04-11T13:57:49","date_gmt":"2025-04-11T11:57:49","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=763"},"modified":"2025-04-12T16:34:11","modified_gmt":"2025-04-12T14:34:11","slug":"flash-loan-reentrancy-attack","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/flash-loan-reentrancy-attack\/","title":{"rendered":"Flash Loan Reentrancy Attack"},"content":{"rendered":"<p dir=\"auto\" data-line=\"2\">Flash loans enable borrowing without collateral and repaying within a single transaction, but create security risks when implemented incorrectly. This article examines how flash loan vulnerabilities can lead to side entrance attacks and why proper implementation is essential.<\/p>\n<p>If you would like to learn hands-on, clone <a href=\"https:\/\/github.com\/Ackee-Blockchain\/reentrancy-examples\/tree\/master\">this repository<\/a> and run <code class=\"codehl\">wake test tests\/test_4_flash_loan.py<\/code>.<\/p>\n<h2 id=\"expected-usage\" class=\"code-line\" dir=\"auto\" data-line=\"4\">Expected usage<\/h2>\n<p class=\"code-line\" dir=\"auto\" data-line=\"6\">When the <code class=\"codehl\">flashLoan<\/code> is called, its user can access and use many tokens in one transaction.<\/p>\n<p dir=\"auto\" data-line=\"6\">If the borrower fails to repay by the transaction&#8217;s end, the entire transaction reverts, which is what enables lending without requiring collateral:<\/p>\n<ul class=\"code-line\" dir=\"auto\" data-line=\"8\">\n<li class=\"code-line\" dir=\"auto\" data-line=\"8\">Vault sends tokens to the <code class=\"codehl\">msg.sender<\/code>.<\/li>\n<li class=\"code-line\" dir=\"auto\" data-line=\"9\">External call to the <code class=\"codehl\">msg.sender<\/code> from Vault.<\/li>\n<li class=\"code-line\" dir=\"auto\" data-line=\"10\">Vault checks the vault&#8217;s token balance.<\/li>\n<\/ul>\n<p><script src=\"https:\/\/gist.github.com\/MeditationDuck\/0b42835a7ab7444699a4f7ca47917d99.js\"><\/script><\/p>\n<h2 id=\"attack-example\" class=\"code-line\" dir=\"auto\" data-line=\"69\">Attack example<\/h2>\n<p class=\"code-line\" dir=\"auto\" data-line=\"12\">The vulnerability exists because the contract only verifies the vault&#8217;s token balance. This allows alternate <code class=\"codehl\">transfer<\/code> methods to satisfy repayment conditions, enabling a <strong>side entrance attack<\/strong>.<\/p>\n<p class=\"code-line\" dir=\"auto\" data-line=\"14\">Users can call the <code class=\"codehl\">deposit<\/code> function, which increases the token balance of the vault. Attackers can call the <code class=\"codehl\">deposit<\/code> function during the flash loan to increase both the vault&#8217;s token balance and their own vault balance credit, which they can later withdraw.<\/p>\n<p dir=\"auto\" data-line=\"14\">These are steps of attack.<\/p>\n<ul class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<li class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<p class=\"code-line\" dir=\"auto\" data-line=\"37\">The attacker calls a <code class=\"codehl\">flashLoan()<\/code> value from the vault.<\/p>\n<ul class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<li class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<p class=\"code-line\" dir=\"auto\" data-line=\"37\">The vault sends the token to lend to the attacker.<\/p>\n<\/li>\n<li class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<p class=\"code-line\" dir=\"auto\" data-line=\"37\"><code class=\"codehl\">token.balanceOf(Vault)<\/code> decreases.<\/p>\n<\/li>\n<li class=\"code-line\" dir=\"auto\" data-line=\"40\">Vault call attacker external function <code class=\"codehl\">onFlashLoan()<\/code>\n<ul class=\"code-line\" dir=\"auto\" data-line=\"37\">\n<li class=\"code-line\" dir=\"auto\" data-line=\"40\">The attacker executes <code class=\"codehl\">deposit()<\/code> value into vault.<\/li>\n<li class=\"code-line\" dir=\"auto\" data-line=\"42\"><code class=\"codehl\">token.balanceOf(Vault)<\/code> will increase.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"code-line code-active-line\" dir=\"auto\" data-line=\"44\">\n<p class=\"code-line\" dir=\"auto\" data-line=\"44\">The attacker can call <code class=\"codehl\">withdraw()<\/code> on that deposit.<\/p>\n<\/li>\n<\/ul>\n<p class=\"code-line\" dir=\"auto\" data-line=\"71\">This is the attacker contract.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/MeditationDuck\/3be747ab2398c50045c12f48c2157077.js\"><\/script><\/p>\n<h3 id=\"wake-code\" class=\"code-line\" dir=\"auto\" data-line=\"106\">Exploit<\/h3>\n<p><script src=\"https:\/\/gist.github.com\/MeditationDuck\/b43df542acaa2ac51f2eab8b3c5f9e95.js\"><\/script><\/p>\n<p class=\"code-line\" dir=\"auto\" data-line=\"139\">This is <a href=\"https:\/\/getwake.io\">Wake&#8217;s<\/a> output, showing the contract successfully drained the token balance.<\/p>\n<p class=\"code-line\" dir=\"auto\" data-line=\"141\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-764\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43.png\" alt=\"\" width=\"1346\" height=\"655\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43.png 1346w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43-300x146.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43-1024x498.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43-768x374.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43-370x180.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Screenshot-from-2024-06-19-11-33-43-760x370.png 760w\" sizes=\"auto, (max-width: 1346px) 100vw, 1346px\" \/><\/p>\n<h2 id=\"prevension\" class=\"code-line\" dir=\"auto\" data-line=\"150\">Prevention<\/h2>\n<p>To prevent a side entrance attack, the lender should transfer the token from the borrower at the end of the flash loan. <strong>A reentrancy guard would work here<\/strong>.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/MeditationDuck\/62ffdc73bb0c9e313bccc9db34b49682.js\"><\/script><\/p>\n<p class=\"code-line\" dir=\"auto\" data-line=\"152\"><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">Developers must always follow <a href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-3156\" target=\"_blank\" rel=\"noopener\">the specifications and best practices<\/a> for ERC-3156 to prevent all possible attacks<\/span>.<\/p>\n<h2 id=\"conclusion\" class=\"code-line\" dir=\"auto\" data-line=\"156\">Conclusion<\/h2>\n<p class=\"code-line\" dir=\"auto\" data-line=\"158\">When a developer wants to use some functionality from ERCs, they must follow the specification of those functionalities.<\/p>\n<p dir=\"auto\" data-line=\"363\"><span style=\"font-weight: 400;\">We have a <a title=\"Reentrancy Examples Github Repository\" href=\"https:\/\/github.com\/Ackee-Blockchain\/reentrancy-examples\">Reentrancy Examples Github Repository<\/a>. There are other types of reentrancy attacks and also protocol-specific reentrancies.<br \/>\n<\/span><\/p>\n<p dir=\"auto\" data-line=\"363\">Also, we have written type-specific reentrancy attacks.<\/p>\n<ul>\n<li dir=\"auto\" data-line=\"4\"><a href=\"https:\/\/ackee.xyz\/blog\/single-function-reentrancy-attack\/\">Single Function Reentrancy Attack<\/a><\/li>\n<li dir=\"auto\" data-line=\"4\"><a href=\"https:\/\/ackee.xyz\/blog\/cross-function-reentrancy-attack\/\">Cross Function Reentrancy Attack<\/a><\/li>\n<li dir=\"auto\" data-line=\"4\"><a href=\"https:\/\/ackee.xyz\/blog\/cross-contract-reentrancy-attack\/\">Cross Contract Reentrancy Attack<\/a><\/li>\n<li dir=\"auto\" data-line=\"4\"><a href=\"https:\/\/ackee.xyz\/blog\/read-only-reentrancy-attack\/\">Read Only Reentrancy Attack<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Flash loans enable borrowing without collateral and repaying within a single transaction, but create security risks when implemented incorrectly. This article examines how flash loan vulnerabilities can lead to side entrance attacks and why proper implementation is essential. If you would like to learn hands-on, clone this repository and run wake test tests\/test_4_flash_loan.py. Expected usage When the flashLoan is called, its user&hellip;<\/p>\n","protected":false},"author":24,"featured_media":1036,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61,85,84,80,103],"tags":[24,86,138,64,104],"class_list":["post-763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education","category-exploits","category-hacks","category-solidity","category-wake","tag-ethereum","tag-hack","tag-reentrancy-attack","tag-security","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/04\/Flash-Loan-Reentrancy-Attack-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/04\/Flash-Loan-Reentrancy-Attack-1-600x600.png","author_info":{"display_name":"Naoki Yoshida","author_link":"https:\/\/ackee.xyz\/blog\/author\/naoki-yoshida\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=763"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/763\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1036"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}