Flash loans are uncollateralized loans that exist only within a single blockchain transaction — the borrower receives funds at the start of the transaction and must repay them (plus a fee) by the end, or the entire transaction reverts. Flash loans are legitimate DeFi primitives (arbitrage, collateral swaps, self-liquidation) but have been weaponized in flash loan attacks: exploits using borrowed millions to manipulate prices, drain liquidity, or exploit vulnerable protocol logic in a single atomic transaction with zero initial capital. The attacker risks nothing — if the exploit fails, the entire transaction (including the loan) reverts. Flash loan attacks don’t create new vulnerabilities; they amplify existing vulnerabilities (oracle weaknesses, logic errors, price manipulation susceptibility) by giving any attacker access to tens of millions of dollars in capital for the duration of one block. Major flash loan attacks include: bZx (~$954K, 2020), Harvest Finance (~$34M, 2020), Pancake Bunny (~$45M, 2021), and many others totaling billions in losses.

---

How It Works

Standard flash loan attack flow:

1. Borrow: Attacker borrows $100M from AAVE/dYdX via flash loan (single transaction)
2. Manipulate: Uses borrowed capital to manipulate a spot DEX price or exploit protocol logic
3. Exploit: Executes the vulnerable action against the target protocol (drain, mint, etc.)
4. Restore: Optionally restores manipulated prices (pockets the difference)
5. Repay: Returns $100M + fee to flash loan provider
6. Net gain: Attacker profits; vulnerable protocol drained

Key property: atomicity — steps 1-5 all happen in a single transaction. If any step fails, everything reverts. This means: zero collateral required, zero counterparty risk for lender, and no economic risk for attacker beyond gas costs.

---

Common Attack Vectors

Vector	Mechanism	Example
Oracle manipulation	Buy asset on thinly-traded DEX → spot price spikes → exploit protocol that reads this price	bZx, Harvest Finance
Price impact exploit	Flash loan to LP → mint protocol tokens at inflated rate → drain	PancakeBunny
Liquidation manipulation	Suppress collateral price → self-liquidate or trigger profitable liquidations	Multiple protocols
Governance attack	Flash borrow governance tokens → vote on malicious proposal → repay	Attempted on Maker, Compound

---

History

• 2020 (Feb): bZx flash loan attack — $954K stolen via oracle manipulation in two transactions; first high-profile flash loan exploit
• 2020 (Oct): Harvest Finance — $34M; flash loan used to manipulate Curve stablecoin pool price, exploit Harvest’s price-sensitive yield strategy
• 2020 (Nov): Cheese Bank — $3.3M; flash loan + price oracle manipulation
• 2021 (May): PancakeBunny — $45M BUNNY minted via flash loan + WBNB price manipulation
• 2022: Multiple flash loan attack incidents continue despite 2+ years of awareness
• 2023-2024: Flash loan attacks ongoing — evolving tactics against newer DeFi protocols

---

Common Misconceptions

“Flash loans are the vulnerability — banning them would stop these attacks.”

Flash loans don’t create vulnerabilities; they eliminate the capital barrier to exploiting existing ones. If a protocol is vulnerable to price oracle manipulation, a well-funded attacker could do the same without flash loans. Flash loans make attacks accessible to anyone, but the underlying fault is the vulnerable protocol design, not the flash loan mechanism.

“TWAP oracles prevent flash loan attacks.”

Time-weighted average price (TWAP) oracles are highly resistant to flash loan manipulation — manipulating a TWAP requires sustaining a manipulated price over multiple blocks, which is economically costly and requires sustained capital. However, TWAPs are not immune to longer-duration manipulation and come with tradeoffs (latency). Chainlink and other off-chain oracles are even harder to manipulate.

---

Criticisms

• Amplifier of existing flaws: Flash loans repeatedly demonstrated that protocols believed to be secure at “realistic” capital levels were insecure — showing developers under-estimated sophisticated attacker capabilities
• DeFi composability risk: The same composability that makes DeFi powerful (instant transfers between protocols) enables flash loans to chain multiple protocol interactions into a single exploitable transaction
• MEV and arbitrage legitimacy: Legitimate flash loan use (arbitrage, collateral swaps) is economically beneficial; the dual-use nature makes blanket restrictions harmful to DeFi’s utility

---

Social Media Sentiment

Flash loan attacks generate explosive community discussion with each incident — the “zero capital needed” concept is counterintuitive and alarming. Legitimate uses are often overlooked in the panic following an exploit. Developer community sentiment: flash loans are a known risk that requires TWAP oracles, circuit breakers, and conservative protocol design. Overall: mature understanding in security community; still shocking to newcomers.

---

Last updated: 2026-04

Related Terms

• Reentrancy Attacks
• Oracle Manipulation
• Smart Contract Audits
• MEV Sandwiching
• DeFi Insurance

---

Sources

1. “Flash Loans: Understanding the Attack Vectors” — Aave / dYdX Documentation (2020-2024). Technical documentation from the primary flash loan providers — explaining flash loan mechanics, legitimate use cases, and protocol design guidance for flash-loan-resistant systems.

1. “bZx Flash Loan Attack: Technical Post-Mortem” — PeckShield / bZx (2020). Detailed analysis of the first major flash loan exploit — documenting the specific oracle manipulation technique used, the logic flaw exploited in bZx’s protocol, and the sequence of cross-protocol interactions composing the attack.

1. “Harvest Finance Exploit: $34M Flash Loan + AMM Price Manipulation” — Rekt.news / Harvest Finance (2020). Post-mortem of the Harvest Finance attack — the largest flash loan exploit at the time, using Curve pool manipulation to trick Harvest’s yield strategy into unfavorable trades at manipulated prices.

1. “Flash Loan Attack Prevention: TWAP Oracles, Circuit Breakers, and Protocol Design” — Chainlink Research / OpenZeppelin (2021-2023). Comprehensive guide for DeFi protocol developers on designing flash-loan-resistant systems — covering oracle selection, time delays, value limits, and economic security mechanisms.

1. “Flash Loan Taxonomy: Legitimate Uses and Attack Patterns” — Trail of Bits (2022). Systematic classification of all flash loan use cases — legitimate arbitrage, collateral optimization, and governance participation versus malicious price manipulation, liquidation gaming, and reentrancy amplification.