Flash Loan Attack
A flash loan attack exploits uncollateralized flash loans in DeFi to manipulate prices or drain funds within a single blockchain transaction that must repay the loan or revert.
What Is a Flash Loan Attack?
A Flash Loan Attack is a type of exploit in decentralized finance (DeFi) that uses uncollateralized flash loans to manipulate prices, drain liquidity pools, or steal funds. Flash loans let users borrow huge sums without collateral. Borrowers must repay the loan plus fees in the same blockchain transaction. Failure triggers a revert, undoing all actions.
Attackers execute these in one atomic transaction. They first borrow a flash loan from a protocol like Aave or dYdX. Next, they use the funds to skew oracle prices or exploit imbalances. For example, an attacker borrows millions in ETH, swaps it on a decentralized exchange (DEX) to pump a token's price, then drains another pool assuming the inflated price. Finally, they repay the loan using stolen funds. If any step fails, the entire transaction reverts harmlessly for the attacker.
Flash loan attacks matter because they expose smart contract vulnerabilities. DeFi lacks traditional safeguards like credit checks. These exploits have caused over $300 million in losses, including the 2020 bZx attack and 2022 Beanstalk Farms hack. They underscore risks in oracle data and liquidity provision.
Key characteristics include:
- Atomicity: Succeeds or fails entirely in one block.
- No upfront capital: Attackers risk only gas fees.
- Common types: oracle manipulation, sandwich attacks, pool drainage.
Protocols counter with TWAP oracles, circuit breakers, and rigorous audits.
DeFi (Decentralized Finance) refers to a set of financial services, such as lending and trading, built on blockchain technology without traditional intermediaries like banks.
Read full definitionA lending protocol is a DeFi smart contract platform on blockchain where users lend crypto to earn interest and borrow assets using collateral.
Read full definitionAn oracle provides external real-world data, such as price feeds, to smart contracts on a blockchain, bridging on-chain and off-chain worlds.
Read full definitionEthereum is a decentralized blockchain platform that enables smart contracts and decentralized applications (dApps). Its native cryptocurrency is Ether (ETH).
Read full definitionIn cryptocurrency, a swap is the direct exchange of one token for another on a blockchain, often via decentralized exchanges (DEXs) without intermediaries.
Read full definitionReal-World Examples
Example 1: bZx Attack (2020)
In February 2020, attackers used a flash loan attack on bZx. They borrowed 3,500 ETH from dYdX, manipulated the sETH/ETH price on Kyber, then liquidated undercollateralized positions to steal $350,000.
- Borrow flash loan.
- Swap to skew oracle price.
- Liquidate and profit before repaying.
Example 2: Beanstalk Farms Hack (2022)
Attackers exploited Beanstalk's governance with a flash loan attack. They borrowed 1 ETH worth of BEAN, proposed a malicious proposal to drain the treasury of $182 million, passed it via flash loan voting power, then repaid the loan.
- Borrow to gain voting power.
- Execute governance exploit.
- Steal funds atomically.
Example 3: Hypothetical Oracle Manipulation
An attacker launches a flash loan attack on a DEX. They borrow $10 million USDC from Aave, swap it for TOKEN on Uniswap to inflate its price, drain a lending pool using the fake oracle price, then unwind trades and repay before the block ends.
- Pump price with borrowed funds.
- Exploit lending protocol.
- Revert if unsuccessful.
Ethereum is a decentralized blockchain platform that enables smart contracts and decentralized applications (dApps). Its native cryptocurrency is Ether (ETH).
Read full definitionIn cryptocurrency, a swap is the direct exchange of one token for another on a blockchain, often via decentralized exchanges (DEXs) without intermediaries.
Read full definitionAn oracle provides external real-world data, such as price feeds, to smart contracts on a blockchain, bridging on-chain and off-chain worlds.
Read full definitionA DAO (Decentralized Autonomous Organization) is a blockchain-based entity governed by smart contracts and token holder votes, enabling decentralized decision-making without central authority.
Read full definitionA stablecoin is a cryptocurrency designed to maintain a stable value, typically pegged to a fiat currency like the US dollar or backed by reserves.
Read full definitionA lending protocol is a DeFi smart contract platform on blockchain where users lend crypto to earn interest and borrow assets using collateral.
Read full definitionA token is a digital asset on a blockchain that represents value, ownership, utility, or access rights. Examples include ERC-20 tokens on Ethereum.
Read full definitionReady to Choose a Secure Wallet?
Use our tools to find the right hardware wallet for your needs.