Flash Loan Attacks in Decentralised Finance (DeFi)

Read the full Decentralized Finance Guide

Key Insights

• Flash loans are uncollateralised loans executed and repaid within a single blockchain transaction.

  
  

• Flash loan attacks exploit economic and technical weaknesses in DeFi protocols using temporary, near-unlimited capital.

  
  

• Most attacks rely on oracle manipulation, governance abuse, or liquidity draining.

  
  

• Losses from flash loan–enabled exploits exceed $750 million, affecting some of the largest DeFi platforms.

  
  

• Defensive techniques exist, but no solution fully eliminates the risk.

  
  

  

Introduction

Decentralised Finance (DeFi) aims to recreate traditional financial services—such as lending, borrowing, and trading—using smart contracts instead of intermediaries.

One of DeFi’s most powerful innovations is the flash loan: an uncollateralised loan that must be borrowed and repaid within the same transaction.

Flash loans improve capital efficiency and enable advanced strategies like arbitrage and liquidation.

However, they also give attackers access to massive temporary liquidity, allowing them to manipulate markets and protocols at scale.

In a flash loan attack, the attacker extracts more value than the small borrowing fee by exploiting flaws in protocol design.

How Flash Loans Work

Flash loans rely on transaction atomicity. Either:

• all actions in a transaction succeed, including repayment, or

  
  

• the entire transaction is reverted.

  
  

Because repayment is guaranteed at the protocol level, no collateral is required.

Borrowers typically pay a small fee (e.g. ~0.09%), making flash loans extremely capital-efficient.

This same property enables attackers to deploy complex manipulation strategies without long-term financial risk.

Attack Incentives and Methods

The primary incentive behind flash loan attacks is simple: high upside with near-zero downside.

As long as the loan is repaid, attackers can attempt exploits repeatedly at minimal cost.

Common Flash Loan Attack Vectors

1. Arbitrage Exploitation

Flash loans can amplify arbitrage between decentralised exchanges.

While arbitrage itself is not malicious, extreme capital deployment can destabilise markets and harm liquidity providers.

2. Price Oracle Manipulation

Attackers temporarily distort on-chain prices using large trades, then exploit protocols that rely on those prices for lending, borrowing, or liquidations.

3. Liquidity Drainage & Smart Contract Exploits

By borrowing large sums, attackers can:

• drain liquidity pools

  
  

• exploit re-entrancy bugs

  
  

• abuse faulty accounting logic

  
  

• trigger cascading failures across interconnected protocols

  
  

These attacks often combine multiple weaknesses into a single transaction.

Prominent Flash Loan Attack Cases

Several high-profile incidents illustrate the scale of the problem:

• Euler Finance (2023): ~$197 million lost due to flawed rate calculations.

  
  

• Cream Finance (2021): ~$130 million lost via token valuation manipulation.

  
  

• bZx (2021): Multiple attacks exploiting reliance on a single price oracle.

  
  

Across DeFi, 12 of the top 20 exploits by profit involved flash loans, highlighting how frequently they act as an attack multiplier rather than the root cause.

Emerging Defensive Techniques

DeFi protocols have responded with several mitigation strategies:

• Transaction monitoring to detect abnormal price movements or liquidity shifts.

  
  

• Oracle improvements, including time-weighted average pricing (TWAP) and multi-oracle systems.

  
  

• Flash loan restrictions, requiring approval or limiting protocol interactions.

  
  

• Auditing and contract hardening, including re-entrancy guards and invariant checks.

  
  

Despite these measures, attackers continue to adapt. The open, composable nature of DeFi makes perfect security extremely difficult.

Conclusion

Flash loans are not inherently dangerous, but they dramatically increase the impact of design flaws in DeFi protocols.

By providing temporary access to massive liquidity, they enable sophisticated attacks that can drain millions in seconds.

While improved oracle designs, monitoring systems, and auditing standards reduce risk, no solution fully eliminates flash loan attacks.

Long-term DeFi security depends on better economic design, rigorous testing, and continuous protocol evolution.

Understanding flash loan attacks is essential for anyone interacting with DeFi—whether as a user, developer, or investor.

For a structured overview of all DeFi concepts, risks, and mechanisms discussed here, refer to our Guides hub, where each topic is covered in depth and logically connected.