Flash Loan Attack

A flash loan attack is a type of exploit in which someone borrows a very large sum through a flash loan and uses that borrowed capital to manipulate a DeFi protocol in ways its creators did not anticipate, extracting profit before repaying the loan — all within a single transaction. Because the attacker needs no collateral and the capital is available instantly, even a poorly-funded attacker can wield enormous purchasing power for the brief window of a transaction.

Common flash loan attacks involve manipulating price oracles. A price oracle is a system that a DeFi protocol uses to learn the current price of an asset. If that oracle reads prices from a single liquidity pool, an attacker can borrow a huge sum, use it to massively distort the price in that pool, trick the target protocol into valuing things incorrectly (for example, treating a cheap token as expensive to borrow against), drain funds, and then unwind the price manipulation and repay the flash loan — all before the next block is added to the chain.

Flash loan attacks have cost DeFi protocols hundreds of millions of dollars and have driven significant improvements in oracle design, requiring protocols to use time-weighted average prices (TWAPs) or external data sources that are harder to manipulate in a single block. The attacks are a reminder that in open, permissionless systems, the rules must anticipate adversarial actors with unlimited temporary capital.

Example: Imagine a bank that sets home loan interest rates by looking at the price of a single house on one street. An attacker borrows $500,000,000 overnight, buys every house on that street to inflate the price index, takes out enormous loans based on those inflated prices, then sells the houses back and repays the original loan — pocketing the difference. The bank’s flawed measuring stick was the vulnerability.