How Active Portfolio protects against Flashloan Attacks
We continue the deep dive into the security precautions of Dexe Investment with a look at how the Active Portfolio feature protects against price manipulation using flashloan attacks.
What are flashloans?
Flashloans are a uniquely DeFi phenomenon where anyone can borrow a token and repay the debt in the same transaction. Instead of relying on heavy collateralization, flashloans work on the principle that if the borrower doesn’t deliver on repayment of the funds within a very narrow time limit, the original transaction is automatically reverted, returning the funds back to the lender. While brilliant and effective, this mechanism does allow malicious actors to use flashloans to borrow a large amount of a low-liquidity token and manipulate its price. Here is how it works.
Flashloan price dumps
The usual process involves having funds on at least two DEXs. On one, the malicious actor quickly sells the borrowed tokens. Because there are a lot of them to sell and the liquidity (at least on that DEX) is limited, the price quickly nosedives.
Other DEXs see this newly low price (via oracles like those from Chainlink) and adjust to offer a similarly low price. At this point, the malicious actor buys up the tokens back on the other DEX at the new, much lower price and repays the flashloan, pocketing the difference.
Flashloan attacks in a Fund
In theory, this type of an attack could be applied to a fund in Dexe Investment. If a trader’s fund is heavily or fully invested into one token with low liquidity, a malicious actor can borrow this token elsewhere using a flashloan and then buy the LP tokens of the fund — which are now worth a lot less since they reflect the new (low) price of the token. Once the malicious actor repays the loan and the token’s price goes back up to normal, the oracles used by Dexe Investment will see that and the LP price will go back up. As a result, the malicious actor was able to buy a lot of LP tokens chap and can now sell them for a lot more money. In a very short time period and unfairly to all those actually investing into the trader’s fund without outside price manipulations.
Preventing this with Active Portfolio
There are two ways to prevent this. One involved limiting the trading to only a few tokens with massive liquidity (like ETH or USDC), where a flashloan attack would be too expensive to execute. But that would limit trader strategies and not be fully in the spirit of DeFi.
A much simpler option is the policy of Active Portfolio. All that means is that every new investment into a fund gets LP tokens that represent the current ratio of assets in the fund, at that very minute. So if the fun has 10 ETH, 2000 USDC, 500 BNB, and 345 DEXE, the new investment’s LP tokens will hold the value of each of those tokens proportionally. This way, everyone gets to buy exactly what is on sale when they enter the fund — no flashloan attacks or other manipulation.
Transparency is often the best security. And for both traders and investors to feel fully secure about their money and strategies, Active Portfolio is there to protect them both.