Flash Loan Using UniswapV2-Based AMMs
What is Flash Loan?
In the early days without flash loan, if a user wants a loan, collateral must be provided to the lending platform in order to borrow some assets. The user needs to repay the loan together with an interest to get the collateral back.
Flash loan is a method of lending that allows users to borrow an enormous amount of assets with no required collateral. The only condition is that the borrowed asset must be returned within the same transaction of the lending, otherwise, the transaction will be reverted.
With this service, the user can utilize the borrowed asset for several purposes, including, but not limited to arbitrage, liquidation, or collateral swap. However, this kind of loan can be a double-edged sword for the DeFi ecosystem. This is because other than legitimate purposes, a large number of smart contract attacks as of late are also done using flash loans. Due to the availability of funds without any collateral needed, it has become one of the most impactful techniques used in smart contract attacks, and it is getting more prevalent. These loans can be taken from lending platforms such as Aave or dYdX, and interestingly, AMM platforms that are based on UniswapV2.
Performing a Swap on UniswapV2
Generally, in the order to perform a swap on UniswapV2, two main contracts are used:
When a user performs swapping on the web UI, they are executing the swapping helper function of
Peripheral smart contracts for interacting with Uniswap V2 - Uniswap/uniswap-v2-periphery
UniswapV2Router is a helper contract that helps with calculating the “out” token amount that the user would get back, checking the price slippage, transferring the “in” token to the
UniswapV2Pair, and executing the actual
swap function in
🎛 Core smart contracts of Uniswap V2. Contribute to Uniswap/uniswap-v2-core development by creating an account on…
swap function is the core function responsible for the actual token swapping. With the “in” amount transferred to the
UniswapV2Pair contract, this function transfers the “out” token amount to the recipient’s address, then calculates the balances of the token pair, making sure that no token is missing, and the fee is collected.
Performing a Flash Loan
As can be seen in the
swap function, we don’t actually need to perform the swapping through the
UniswapV2Router contract. The only requirement is to transfer an amount of token to the contract and make sure that the calculation of
K from the balances at the end of the function execution is valid.
Typically, from the flow of the execution, we need to transfer our token to the
UniswapV2Pair contract before calling the
swap function. However, there is a “special feature” in the
swap function that allows external contract calling on line 172:
if (data.length > 0) IUniswapV2Callee(to).uniswapV2Call(msg.sender, amount0Out, amount1Out, data);
This line of code checks the existence of value in the
data variable and calls the
uniswapV2Call function of the recipient address
to. This is done after the “out” token has been transferred out, but before the balances are checked, this means that we can get the “out” token from the
UniswapV2Pair contract first, before transferring the token back in to make the calculation of
The token transferred to the recipient can be used for any purpose written in the
uniswapV2Call function, as long as the amount is repaid to the
UniswapV2Pair contract together with the fee. This is basically a flash loan, or “Flash Swap” as called by Uniswap since the loan can be repaid using either side of the pair.
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.