What is a Flash Loan Attack?
A flash loan attack uses uncollateralized flash loans to execute exploits that require massive capital to be profitable. Flash loans provide any amount of capital within a single transaction, enabling attackers to manipulate markets, exploit vulnerabilities, and extract value in ways that would otherwise require billions in capital. The loan must be repaid within the same transaction.
How it Works
Flash loans remove the capital barrier for attacks. Attackers borrow millions or billions, execute their exploit, and repay the loan with interest, all atomically.
The typical flash loan attack pattern includes:
- Borrow: Take massive flash loan (often $100M+)
- Manipulate: Use borrowed funds to manipulate prices or states
- Exploit: Trigger the vulnerable protocol at manipulated conditions
- Extract: Profit from the manipulation
- Repay: Return the flash loan with fees
- Profit: Keep the difference as profit
If any step fails, the entire transaction reverts, making attacks risk-free for attackers.
Practical Example
The bZx attacks in 2020 pioneered flash loan exploitation. Attackers borrowed from Aave, manipulated prices on Uniswap, exploited bZx's vulnerable oracle, and profited over $1 million. The Euler Finance attack in 2023 used flash loans to amplify a reentrancy-style vulnerability, extracting $197 million. Cream Finance was exploited multiple times through flash loan-enabled oracle manipulation.
Why it Matters
Flash loans democratized attacks that previously required massive capital. Any vulnerability exploitable with enough money is now exploitable by anyone. This changes the security model for all DeFi protocols, requiring them to assume attackers have unlimited capital within a single transaction.
Fensory evaluates protocol resilience to flash loan attacks by analyzing oracle designs, reentrancy protections, and economic safeguards that defend against capital-amplified exploits.