Flash Loan Using UniswapV2-Based AMMs

Inspex
4 min readJun 1, 2021

What is Flash Loan?

In the early days without flash loan, if a user wants a loan, collateral must be provided to the lending platform in order to borrow some assets. The user needs to repay the loan together with an interest to get the collateral back.

Flash loan is a method of lending that allows users to borrow an enormous amount of assets with no required collateral. The only condition is that the borrowed asset must be returned within the same transaction of the lending, otherwise, the transaction will be reverted.

With this service, the user can utilize the borrowed asset for several purposes, including, but not limited to arbitrage, liquidation, or collateral swap. However, this kind of loan can be a double-edged sword for the DeFi ecosystem. This is because other than legitimate purposes, a large number of smart contract attacks as of late are also done using flash loans. Due to the availability of funds without any collateral needed, it has become one of the most impactful techniques used in smart contract attacks, and it is getting more prevalent. These loans can be taken from lending platforms such as Aave or dYdX, and interestingly, AMM platforms that are based on UniswapV2.

Performing a Swap on UniswapV2

Generally, in the order to perform a swap on UniswapV2, two main contracts are used: UniswapV2Router, and UniswapV2Pair.

Swapping Diagram from https://uniswap.org/docs/v2/core-concepts/swaps/

When a user performs swapping on the web UI, they are executing the swapping helper function of UniswapV2Router.

Swapping helper functions from UniswapV2Router contract

UniswapV2Router is a helper contract that helps with calculating the “out” token amount that the user would get back, checking the price slippage, transferring the “in” token to the UniswapV2Pair, and executing the actual swap function in UniswapV2Pair contract.

swap function in UniswapV2Pair

The swap function is the core function responsible for the actual token swapping. With the “in” amount transferred to the UniswapV2Pair contract, this function transfers the “out” token amount to the recipient’s address, then calculates the balances of the token pair, making sure that no token is missing, and the fee is collected.

Performing a Flash Loan

As can be seen in the swap function, we don’t actually need to perform the swapping through the UniswapV2Router contract. The only requirement is to transfer an amount of token to the contract and make sure that the calculation of K from the balances at the end of the function execution is valid.

Typically, from the flow of the execution, we need to transfer our token to the UniswapV2Pair contract before calling the swap function. However, there is a “special feature” in the swap function that allows external contract calling on line 172:

if (data.length > 0) IUniswapV2Callee(to).uniswapV2Call(msg.sender, amount0Out, amount1Out, data);

This line of code checks the existence of value in the data variable and calls the uniswapV2Call function of the recipient address to. This is done after the “out” token has been transferred out, but before the balances are checked, this means that we can get the “out” token from the UniswapV2Pair contract first, before transferring the token back in to make the calculation of K valid.

The token transferred to the recipient can be used for any purpose written in the uniswapV2Call function, as long as the amount is repaid to the UniswapV2Pair contract together with the fee. This is basically a flash loan, or “Flash Swap” as called by Uniswap since the loan can be repaid using either side of the pair.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

--

--

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo