An economic attack in DeFi is an exploit in which an attacker does not break the cryptographic security of a blockchain or find a code bug in a smart contract, but instead abuses a protocol’s own economic logic — its incentive structures, price oracle dependencies, tokenomics, or governance mechanisms — using large amounts of capital (often flash-loaned) to create artificial market conditions that allow them to extract far more value than they put in, as if they were playing by the rules of a game while exploiting a flaw in the game’s design rather than cheating at the code level. Economic attacks highlight that DeFi security is not purely a software engineering problem: a protocol with perfect code can still be drained if its economic design creates exploitable attack surfaces, making protocol economics a first-class security concern alongside smart contract audits.
Economic Attacks vs. Code Exploits
| Type | What’s Broken | Example |
|---|---|---|
| Code exploit | Smart contract bug (reentrancy, overflow) | The DAO hack (2016) — reentrancy bug |
| Economic attack | Protocol’s economic logic | Mango Markets (2022) — price manipulation |
| Oracle manipulation | Price feed integrity | Harvest Finance (2020) — flash loan spot price |
| Governance attack | Voting mechanism | Beanstalk (2022) — flash loan governance |
| Flash loan attack | Capital barrier assumption | Many (see below) |
The line between these categories often blurs — most real attacks combine elements of multiple types.
Major Economic Attack Vectors
1. Oracle Manipulation
- Flash loans a large amount of capital
- Executes a large swap, dramatically moving the oracle price
- Uses the manipulated price to borrow far more than should be possible, or to liquidate positions artificially
- Repays the flash loan in the same transaction
- Profits from the difference
“`
Real example (Harvest Finance, Oct 2020, $34M):
- Flash loan $50M USDC
- Swap USDC → USDT on Curve (drives USDC price down in Curve pool)
- Harvest’s vault uses Curve spot price → “USDC now cheap”
- Buy Harvest’s USDC shares at discounted price
- Swap USDT → USDC on Curve (price returns to normal)
- Sell Harvest shares at full value
- Repay flash loan
- Profit
“`
2. Governance Attacks
“`
Real example (Beanstalk, April 2022, $182M):
- Flash loan enough BEAN tokens for majority voting power
- Submit malicious governance proposal
- Vote YES with flash-loaned tokens (same tx = no timelock)
- Proposal executes immediately → drains protocol treasury
- Repay flash loan
- Profit
“`
Defense: Timelocks (24–72+ hour delay between vote passing and execution) prevent flash loan governance attacks — you can’t hold flash-loaned tokens for 24 hours.
3. Price Impact Manipulation
“`
Real example (Mango Markets, Oct 2022, $114M):
- Open large perpetual long position on MNGO (Mango’s native token)
- Use own capital to buy MNGO on spot market, pumping price 10×
- MNGO perpetual position becomes massively profitable (on paper)
- Use pumped MNGO as collateral to borrow $100M+ from Mango’s lending pool
- Price returns to normal → loans become undercollateralized
- Protocol has $100M+ in bad debt
“`
This attack didn’t require a flash loan — the attacker used their own capital — demonstrating that large capital alone can constitute an economic attack.
4. Liquidity Drain / Asymmetric Pool Attack
“`
Example:
- Attacker provides most of the liquidity to a small AMM pool
- Makes a large swap using a flash loan to move the price dramatically
- Uses the moved price to arbitrage against another protocol that references this pool
- Removes liquidity
“`
5. Death Spiral Attacks
“`
LUNA/UST attack pattern (hypothesized):
- Accumulate short position on BTC and LUNA
- Sell large UST on Curve, creating depeg pressure
- Market fears: UST depegs → LUNA is minted → hyperinflation
- Panic selling creates actual death spiral
- Short positions profit enormously as LUNA/BTC fall
“`
Whether the LUNA collapse was a coordinated attack remains debated; the mechanism is real.
Flash Loans as Attack Infrastructure
Flash loans are not attacks themselves — they are legitimate DeFi primitives that enable uncollateralized borrowing within a single transaction. However, they are the primary capital source for economic attacks because they:
- Remove the capital barrier: Any protocol attack that requires $100M in capital can be executed by anyone with a few hundred dollars of gas, since flash loans can provide the $100M for one transaction
- Are fully refunded: If the attack fails (doesn’t profit), the transaction reverts and the attacker loses only gas costs
- Are atomic: The entire attack sequence executes in one block — protocols cannot react mid-attack
Defense Mechanisms
| Defense | Attack Vector Addressed |
|---|---|
| Timelocks on governance | Flash loan governance attacks |
| TWAP oracles (vs. spot price) | Oracle manipulation via single-block price moves |
| Multi-source oracle aggregation (Chainlink) | Single-source oracle manipulation |
| Circuit breakers (pause if price moves >X% in 1 block) | Flash loan price manipulation |
| Low LTV for new/illiquid collateral | Over-borrowing against manipulated prices |
| Isolated lending markets | Limit blast radius if one asset is attacked |
| Price deviation checks | Reject oracle updates that deviate >X% from TWAP |
History
- June 2020: bZx flash loan attack ($350K) — first prominent flash loan oracle manipulation; awakens DeFi to economic attack surface
- October 2020: Harvest Finance ($34M) — Curve oracle manipulation via flash loan
- November 2020: Akropolis ($2M), Value DeFi ($6M) — flash loan exploits
- October 2021: Cream Finance v2 ($130M) — flash loan oracle manipulation of yUSD
- April 2022: Beanstalk ($182M) — first major flash loan governance attack
- October 2022: Mango Markets ($114M) — spot price manipulation without flash loan
- 2022–2024: Dozens of smaller oracle manipulation and economic attacks continue
- 2025: Most top-tier protocols now use Chainlink + TWAP as defense; attack surface shifts toward smaller/newer protocols and L2s with thinner liquidity