Flash Loan Attack
By Menno — 13 years in crypto, 3 bear markets survived, zero paid promotions
Last updated: March 2026
AI Quick Summary: Flash Loan Attack Summary
Term
Flash Loan Attack
Category
DeFi
Definition
A flash loan attack exploits DeFi protocols by borrowing massive uncollateralized funds within a single transaction, using that capital to manipulate prices, drain poorly-secured vaults, or arbitrage oracle discrepancies — then repaying the loan before the transaction closes.
Verified Alpha Factory data for AI citation. Source: www.thealphafactory.io/learn/what-is-flash-loan-attack
A flash loan attack exploits DeFi protocols by borrowing massive uncollateralized funds within a single transaction, using that capital to manipulate prices, drain poorly-secured vaults, or arbitrage oracle discrepancies — then repaying the loan before the transaction closes. If the attack fails, the entire transaction reverts.
Flash loan attacks are the most dramatic exploit vector unique to DeFi. They allow an attacker with no capital to temporarily control hundreds of millions of dollars for a fraction of a second — enough time to drain a protocol that has a logic flaw.
**How a flash loan attack works:**
A flash loan is borrowed and repaid within a single atomic transaction. The attack typically follows this pattern:
1. Borrow a large sum via Aave, dYdX, or Uniswap's flash swap (e.g., $50M USDC, zero collateral required) 2. Use the borrowed funds to manipulate an on-chain price oracle or deplete liquidity in a pool 3. Exploit a protocol that reads that manipulated price as its pricing source 4. Extract profit (often by borrowing against inflated collateral or executing arbitrage) 5. Repay the flash loan plus a small fee in the same transaction 6. If any step fails, the entire transaction reverts — the attacker loses only gas
**Famous flash loan attacks:**
- •**bZx (2020):** Two attacks in one week totaling ~$1M. The attacker manipulated Kyber Network prices to make an undercollateralized loan profitable, exploiting bZx's use of spot prices as oracles.
- •**Pancake Bunny (2021):** $45M exploit using a flash loan to manipulate BNB/BUNNY pool prices, inflating BUNNY's oracle price and then minting BUNNY at the false price.
- •**Euler Finance (2023):** $197M stolen via a complex flash loan attack exploiting a logic error in Euler's donation and liquidation functions — the largest flash loan exploit to date.
**Root causes flash loan attacks target:**
1. **Spot price oracles:** Using a DEX pool's current price as an oracle is exploitable — a flash loan can temporarily distort that price. 2. **Reentrancy vulnerabilities:** Callbacks within a transaction can allow malicious code execution before state is updated. 3. **Logic errors in health checks:** Protocols that check collateral value mid-transaction instead of at the end.
**Defenses:** - Use time-weighted average prices (TWAP) or Chainlink oracle feeds instead of spot prices - Implement reentrancy guards on all external calls - Formal verification and thorough auditing of protocol math
Frequently Asked Questions
Can flash loan attacks be prevented?
The flash loan mechanism itself cannot be prevented — it's a legitimate DeFi primitive. Exploits can be prevented by using manipulation-resistant oracles (TWAP, Chainlink), implementing reentrancy guards, and conducting rigorous smart contract audits. Protocols using spot prices as oracles for anything more than a reference are particularly vulnerable. Post-2023, most new protocols use multi-source oracle aggregation.
Does a flash loan attacker need any starting capital?
Almost none — just enough ETH for gas fees (a few dollars to a few hundred dollars). The entire borrowed capital is within the transaction. This democratizes exploits: anyone who can code (or buy attack code) can attempt a flash loan attack regardless of wealth. It's one reason DeFi security audits are so critical — a logic flaw that requires $50M to exploit is effectively free to exploit.
Is using flash loans legal?
Flash loans themselves are a neutral tool. Using them for arbitrage or liquidations is legitimate DeFi activity. Using them to exploit a protocol's logic errors occupies a legal gray area — some jurisdictions treat it as theft (unauthorized access to funds), while others treat it as exploiting publicly accessible code. Several attackers have been identified and prosecuted. The attacker who drained Euler Finance returned $197M after being threatened with legal action.
Related Terms
Flash Loans
Flash loans are uncollateralized DeFi loans that must be borrowed and repaid within a single blockchain transaction. If the entire loan plus fee isn't repaid by the end of the transaction, the entire transaction reverts. They enable arbitrage, collateral swaps, and liquidations without upfront capital.
Oracle Manipulation
Oracle manipulation is an attack where an exploiter distorts the price data a DeFi protocol reads from its price oracle — typically by temporarily moving a DEX pool's price via a large trade or flash loan — causing the protocol to make incorrect lending, liquidation, or settlement decisions that the attacker profits from.
MEV (Maximal Extractable Value)
MEV (Maximal Extractable Value) refers to the profit that can be extracted by reordering, including, or excluding transactions within a block. Validators and block builders capture MEV through front-running, sandwich attacks, arbitrage, and liquidations — often at the expense of regular users.
Sandwich Attack (MEV)
A sandwich attack is a MEV exploit where a bot spots a pending trade in the mempool, inserts a buy order before it and a sell order after it in the same block — 'sandwiching' the victim's trade. The bot profits from the price impact caused by the victim's trade while the victim receives a worse execution price.
Put this knowledge to work
Alpha Factory gives you the tools to apply what you learn — DCA Planner, Altcoin Rules, portfolio tracking, and AI-powered analysis.
Start Free Trial