Flash loans are DeFi's most double-edged innovation. They let anyone borrow millions with zero collateral — as long as they repay in the same transaction. Legitimate uses include arbitrage and collateral swaps. But attackers use them to amplify every other vulnerability by orders of magnitude. Flash loan attacks have caused over $1B in cumulative losses.
How Flash Loans Work
A flash loan is an uncollateralized loan that must be borrowed and repaid within a single atomic transaction. If the borrower can't repay, the entire transaction reverts as if it never happened.
// Flash loan flow (simplified)
function executeFlashLoan() external {
// 1. Borrow $50M from Aave (zero collateral)
aave.flashLoan(address(this), DAI, 50_000_000e18, "");
}
function executeOperation(
address asset, uint256 amount, uint256 premium, address initiator, bytes calldata
) external returns (bool) {
// 2. Use $50M to manipulate price, exploit protocol, etc.
exploit();
// 3. Repay loan + 0.09% fee
IERC20(asset).approve(address(aave), amount + premium);
return true;
// If repayment fails, everything reverts — risk-free for the attacker
}Why Flash Loans Are So Dangerous
- Capital Access: Anyone can access $100M+ instantly, no credit check
- Atomicity: Attack either succeeds completely or reverts — zero downside risk for the attacker
- Amplification: They don't create new vulnerabilities, but amplify existing ones by 100-1000x
- Speed: The entire attack happens in one transaction (one block)
Flash Loan Attack Patterns
1. Oracle Manipulation
Borrow → manipulate AMM price → exploit protocol using wrong price → repay. This is the most common flash loan attack pattern.
2. Governance Attacks
Borrow governance tokens → vote/propose malicious changes → execute → repay. Beanstalk Farms lost $182M this way.
3. Collateral Inflation
Borrow → deposit inflated collateral → borrow against it → withdraw → repay flash loan with profit.
Major Flash Loan Exploits
| Protocol | Year | Loss | Attack |
|---|---|---|---|
| Beanstalk Farms | 2022 | $182M | Flash loan governance attack |
| Euler Finance | 2023 | $197M | Flash loan + donation attack |
| Pancake Bunny | 2021 | $45M | Flash loan price manipulation |
| Harvest Finance | 2020 | $34M | Flash loan oracle manipulation |
| Value DeFi | 2020 | $7M | Flash loan + arbitrage |
Building Flash-Loan-Resistant Contracts
// Anti-flash-loan pattern: require action spans multiple blocks
mapping(address => uint256) public lastActionBlock;
function deposit() external {
lastActionBlock[msg.sender] = block.number;
// ... deposit logic
}
function withdraw() external {
require(
block.number > lastActionBlock[msg.sender],
"Same block as deposit"
);
// ... withdraw logic
}- ✅ Never use spot prices — use Chainlink or TWAP oracles
- ✅ Add same-block restrictions for deposit/withdraw pairs
- ✅ Use governance timelocks (24-48 hours) to prevent flash loan voting
- ✅ Implement snapshot-based voting (tokens must be held before snapshot)
- ✅ Monitor for unusual transaction sizes
How Vultbase Detects Flash Loan Risks
- Pattern DB — 29 flash-loan-specific patterns from real exploits covering price manipulation, governance, and collateral attacks
- Oracle Challenge — Tests if your price feeds are flash-loan-manipulable
- Governance Challenge — Checks for flash-loan-vulnerable voting mechanisms
Flash loans turn minor bugs into catastrophic exploits. Audit your contracts to find the vulnerabilities before someone borrows $100M to exploit them.