Skip to content
Home » Flash Loans: Uncollateralized DeFi Borrowing, Arbitrage, and Attack Vectors Explained

Flash Loans: Uncollateralized DeFi Borrowing, Arbitrage, and Attack Vectors Explained

  • DeFi

Borrowing Millions With No Collateral

In traditional finance, borrowing money requires collateral, credit history, income verification, and a lender’s trust. Flash loans shatter every one of these requirements. With a flash loan, anyone can borrow millions of dollars in any cryptocurrency with zero collateral, zero credit check, and zero upfront payment — as long as the entire loan is repaid within the same blockchain transaction. This is not a bug or a loophole. It is a deliberate feature built on blockchain atomicity, and it is one of the most fascinating primitives in all of decentralized finance.

The Atomic Transaction Guarantee

To understand flash loans, you must understand blockchain transaction atomicity. In Ethereum (and most smart contract blockchains), a transaction either fully succeeds or fully fails — there is no partial execution. If any step in a multi-step transaction fails, all previous steps are rolled back as if the transaction never happened. No state changes are committed to the blockchain. The entire transaction is atomic.

Flash loans exploit this property. Here is the sequence: the lender’s contract releases funds to the borrower, the borrower’s contract does whatever it wants with those funds, and then the borrower’s contract returns the funds plus a fee — all within the same transaction. If the last step (repayment) fails because there are insufficient funds, the entire transaction reverts. The lender never actually risks losing the funds because from the blockchain’s perspective, either the loan is repaid or the loan never happened.

The lender takes on zero credit risk and zero duration risk. The only risk is smart contract risk — a bug in the flash loan contract itself. In exchange for this zero-risk service, lenders charge a small fee (typically 0.05 to 0.09 percent) that accrues to the lending pool’s liquidity providers.

Legitimate Uses: Arbitrage

The most economically productive legitimate use of flash loans is arbitrage — exploiting price differences between venues. Imagine ETH trades at $2,000 on Uniswap and $2,020 on SushiSwap simultaneously. A $1 million flash loan allows an arbitrageur to buy 500 ETH on Uniswap for $1 million, sell it on SushiSwap for $1,010,000, repay the $1 million loan plus the fee, and pocket approximately $9,500 in profit — all in one transaction, with zero capital required.

This arbitrage is socially beneficial: it equalizes prices across venues, improving market efficiency. Flash loans democratize arbitrage that was previously only available to capital-rich market makers and trading firms. A developer with no capital but good code can compete with sophisticated trading desks on equal footing.

Before flash loans, capturing this same arbitrage required holding $1 million in ETH, creating significant capital cost and risk. Flash loans remove this capital barrier entirely.

Legitimate Uses: Collateral Swaps

Suppose a user has $100,000 in ETH locked as Aave collateral with a $50,000 USDC loan against it. They want to switch their collateral from ETH to WBTC without closing the position (which would require repaying the $50,000 first). With a flash loan: borrow $50,000 USDC, repay the Aave loan, withdraw the freed ETH, sell ETH for WBTC, deposit WBTC as new collateral on Aave, borrow $50,000 USDC again to repay the flash loan. The entire collateral swap happens atomically without ever requiring the user to have $50,000 available.

Similar logic enables self-liquidation (closing your own position in a controlled way before external liquidators do it with a penalty), position migration between protocols, and leveraged position creation in a single transaction.

Legitimate Uses: Governance Attacks (Controversial)

Flash loans can borrow governance tokens, use them to vote on a governance proposal, and return them in the same transaction. This is technically legitimate but ethically controversial — it allows controlling a governance vote with no lasting stake in the protocol. Most modern governance systems have guards against this (requiring tokens to be held for a period before voting, or using snapshots taken before the voting period begins), but some early protocols were vulnerable. The MakerDAO governance security model explicitly accounts for flash loan voting attacks.

Famous Exploits: Flash Loans as Attack Weapons

Flash loans became infamous in 2020 when they were weaponized in a series of attacks that drained tens of millions from DeFi protocols. These attacks were not bugs in flash loans themselves but rather exploits of vulnerabilities in other protocols that flash loans provided the capital to execute at scale.

The bZx attacks (February 2020, approximately $1 million stolen) were the first widely publicized flash loan attacks. The attacker used a flash loan to manipulate the price of WBTC on Uniswap (a shallow liquidity pool at the time), borrowed against the artificially inflated price on bZx, and walked away with the profit when prices normalized. The vulnerability was bZx’s reliance on a single price oracle that could be manipulated within a single transaction.

The Harvest Finance exploit (October 2020, approximately $34 million) used flash loans to repeatedly manipulate USDC and USDT prices in Curve pools, exploiting Harvest’s use of spot prices rather than time-weighted averages for its vault calculations. Each round of manipulation netted the attacker approximately $500,000.

The Cream Finance exploits (2021, approximately $130 million combined across multiple attacks) exploited flash loan-enabled price manipulation of Cream’s own price oracle for certain tokens, demonstrating that even larger, seemingly mature protocols remained vulnerable.

The Euler Finance hack (March 2023, approximately $197 million) was technically not a flash loan attack per se but used flash loans as part of a complex sequence exploiting a logic error in Euler’s donation mechanism. It was the largest DeFi hack of 2023 before the attacker returned most funds.

What Flash Loan Attacks Reveal About DeFi

Flash loan attacks are often framed as attacks on flash loans, but this framing is wrong. Flash loans provide capital; the attacks exploit vulnerabilities in other protocols. The real lesson is that DeFi protocols must be designed to withstand adversarial actors who can temporarily access unlimited capital. Specifically:

Oracle security is paramount. Protocols that use spot prices from low-liquidity DEX pools for critical financial decisions are vulnerable to price manipulation regardless of flash loans. Time-weighted average prices (TWAPs) or decentralized oracle networks like Chainlink are essential defenses.

Re-entrancy protections are essential. Protocols must guard against callbacks during transactions that allow attackers to drain funds by repeatedly calling vulnerable functions before state is updated.

Composability creates unexpected attack surfaces. When a protocol interacts with other protocols, it inherits those protocols’ risks. Auditing each integration’s security implications is as important as auditing the protocol’s own code.

Flash Loans Across Protocols

Aave pioneered flash loans and remains the largest provider, offering them across dozens of assets on multiple chains. The fee is 0.09 percent. Uniswap V2 and V3 offer flash swaps — a similar mechanism where you can borrow any token from a pool and return it (or the equivalent value in the other token) within the same transaction. Balancer offers flash loans at 0 fee (charging only gas). dYdX historically offered zero-fee flash loans. These competing offerings have driven flash loan fees to near zero.

The Security Response

The DeFi ecosystem has significantly hardened against flash loan exploits since 2020. TWAP oracles have replaced spot price oracles in most serious protocols. Chainlink price feeds aggregate multiple sources with manipulation resistance. Reentrancy guards are now standard practice. Formal verification and multiple security audits are expected before major protocol launches. The insurance ecosystem (Nexus Mutual, InsurAce) has grown to provide coverage against remaining risks.

Flash loans themselves have become more sophisticated — Aave V3 allows flash loans across multiple assets simultaneously, enabling more complex arbitrage and collateral management strategies that were previously impossible.

Conclusion

Flash loans are one of DeFi’s most distinctively native innovations — impossible in traditional finance, enabled only by blockchain’s atomic transaction model. They represent both a democratization of financial access (anyone can temporarily control millions for legitimate purposes) and a potent weapon for protocol exploitation. The flash loan exploits of 2020-2022 were expensive but valuable lessons that forced the DeFi ecosystem to mature rapidly. Today, understanding flash loans is essential for both DeFi developers designing secure protocols and users understanding the risk landscape of the protocols they interact with.