In recent months, Harvest, Akropolis, Value DeFi, Cheese Bank, Eminence, and Origin Protocol have all suffered from flash loan exploits. Out of the recent six exploits, three of these hacking incidents have ended with a partial return of exploited funds, which has become a new trend within the DeFi circle.
Although the reasons for these DeFi attackers returning their ill-gotten funds remain unclear, one potential reason could be morality.
To understand why, we need to start with what a flash loan actually is.
What is a flash loan?
A flash loan involves an attacker receiving a loan from a DeFi protocol, spending the loaned capital, and returning it all within the same smart contract transaction. Since the entirety of the loan occurs in one smart contract transaction, it does not require collateral.
In essence, anyone could obtain a flash loan without collateral, just by covering the fees involved. Analysts at the on-chain analysis firm Glassnode explain:
“This means that users of flash loans, including attackers, assume very little risk; if the transaction does not ‘break even’ and the loan cannot be paid back, the whole thing reverts, meaning the user loses nothing more than the cost of gas. In contrast, the potential returns are considerable.”
If the attacker can make an arbitrage with the loaned capital during that short period of time, the attacker can then return the borrowed capital and be left with the profit.
But those profits have to come from somewhere, and while each exploit is different (and complicated), the short answer is that they often come from other users — the "losers" in the trades the attacker is winning that generate their profits.
So why are attackers returning their gains?
Sentiment about flash loan exploits in the DeFi space remains mixed. On one hand, they can be considered an attack or exploit because they lead to users losing their funds. But, some argue that flash loans are not illegal, and are following the rules and systems of the platforms they're happening on.
It may be that some of these attackers fall into the former camp, and are returning funds so that they don’t hurt innocent users.
As an example, on November 15, Value DeFi suffered a flash loan attack which resulted in a $6 million loss. The attacker borrowed 80,000 Ethereum, worth just under $40 million, from the DeFi protocol Aave. Then, the attacker arbitraged two stablecoins DAI and USDC, netted a profit at the expense of Value DeFi users, and then returned the $40 million of base capital to Aave.
Su Zhu, the CEO of Three Arrows Capital, said that the hacker also returned $2 million of the profits earned in the exploit. He noted that the same exploit would be possible without flash loans, but only whales or high-net-worth investors would be able to carry it out.
According to Su, the exploiter left a message that asked “Do you really know flash loan [sic]?” and returned the $2 million to show good will. The act serves as a reminder, Su says, that without flash loans, the same “exploit” would technically be possible — but available only to super-wealthy whales.
An exploiter also returned $50,000 to a victim who lost $100,000 from the attack after they told the attacker that they are a nurse.
Since flash loan exploits do not need a significant amount of capital to initiate and the attackers do not risk a whole lot of capital when the attack fails. Attackers are likely returning a portion of the exploited funds for moral reasons. Whether this makes the attack less bad is up for debate — and that's a debate that's heating up in the DeFi space right now.