Home / Crypto / Learn / What is a Flash Loan?
Learn 9 min read

Bag of gold with a lightning strike on it

Key Takeaways

  • Flash loans are unsecured loans in DeFi that must be repaid within the same blockchain transaction, enabled by smart contracts.
  • They find use cases in arbitrage and liquidations but also carry risks like price oracle manipulation.
  • Flash loan attacks can exploit vulnerabilities in DeFi protocols and result in significant financial losses.
  • Despite their risks, flash loans highlight the potential of decentralized finance.

Decentralized finance (DeFi) has changed the way many of us think about financial services. This new sector has grown to over $100 billion in TVL and has introduced innovative solutions that could only exist in a blockchain-based ecosystem. One standout example of this is the flash loan, a type of loan unique to DeFi. Flash loans offer an unprecedented level of flexibility, but also carry some specific risks.

In this article, we’ll break down how flash loans work, their key differences from traditional loans, their applications, and their risks, including flash loan attacks.

What Is a Flash Loan?

A flash loan is a type of unsecured loan available in DeFi, typically on lending and borrowing platforms like Aave. Unlike traditional loans that require collateral and credit checks, flash loans operate on the principle that the loan must be borrowed and repaid within the same transaction. If the borrower fails to repay the loan, the transaction is reversed, ensuring no loss for the lender.

How Do Flash Loans Work?

Flash loans leverage smart contracts and the unique mechanics of blockchain transactions. In addition, they offer unsecured, instantaneous loans. Here’s a breakdown of how they work:

Type of Smart Contract

Flash loans are carried out using smart contracts, which are self-executing codes that execute when particular conditions are met. A flash loan smart contract automatically carries out the loan when a specific condition is met: the money borrowed can immediately be paid back, along with the related interest.

For example, imagine Exchange A is selling ETH at $1,800, while Exchange B is buying ETH at $1,850. You want to make a profit by buying 10 ETH at Exchange A and selling them to Exchange B for a total profit of $500. You need a loan of $18,000, and this loan charges $400 in interest.

To achieve this through a flash loan, you would need to borrow $18,000 and be able to repay $18,400 simultaneously. In this transaction, you’d be left with a total of $18,500 after the sale. Since this is enough to both repay the loan and meet the interest payment, you could potentially use a flash loan to achieve this arbitrage trade.

How flash loans work

Borrowing Without Collateral

The lack of collateral is the defining feature of flash loans. This is possible because the repayment happens instantaneously within the same transaction. Traditional lending relies on collateral to mitigate the lender’s risk. On the other hand, flash loans circumvent this requirement by ensuring that funds never leave the system unless repaid.

No Credit Checks

In traditional finance, banks need to perform credit checks to make sure the borrowing party will be able to return the loan. With flash loans, credit checks aren’t necessary. This is a direct result of the fact that there’s no risk for the lender. The smart contract empowering the loan transaction ensures payment. Borrowers must perform the intended operation and repay the loan within the same transaction. If any part of this process fails, the blockchain rolls back the transaction as if it never occurred.

Flash Loans vs Traditional Loans

Flash loans differ significantly from traditional loans in their mechanics, requirements, and use cases. Here’s a quick look at the main distinctions between them:

Feature Flash Loans Traditional Loans
Collateral Not required Required
Repayment Period Within the same transaction Months or years
Approval Process Automated through smart contracts Requires credit checks and manual approval
Primary Use Cases Arbitrage, liquidations Personal expenses, business investments
Risk for Lenders None, loans are either paid or reversed High, borrowers may default

What Are Flash Loans Used For?

Flash loans are highly flexible and efficient, making them a popular tool in the DeFi space. Some of their most common applications include:

Arbitrage Trading

Arbitrage involves taking advantage of price differences for the same asset across different platforms. Therefore, through the use of flash loans, traders can execute arbitrage trades without requiring upfront capital.

For example, suppose ETH is priced at $2,000 on Exchange A and $2,050 on Exchange B. A trader can use a flash loan to borrow 10 ETH from a lending protocol, buy ETH on Exchange A, sell it on Exchange B, and repay the loan, all within a single transaction. Lastly, the profit is the price difference multiplied by the quantity, minus transaction fees.

Liquidations

Flash loans are also common in liquidations, which occur when a borrower’s collateral falls below the required threshold in a lending protocol. Third-party liquidators earn compensation for handling loan liquidations when the collateralization ratio falls below the required threshold.

For example, if a user has borrowed 100 USDC against 1 ETH as collateral, and the price of ETH drops, their position may become undercollateralized. Furthermore, a third-party liquidator can use a flash loan to repay the 100 USDC on their behalf, seize their ETH collateral, and repay the flash loan, keeping the difference as profit.

Flash Loan Price Oracle Attacks

While flash loans offer numerous benefits, they also introduce risks, particularly price oracle attacks. A price oracle sends asset data protocol and allows it to keep track of the overall health of the platform. Flash loan attacks can exploit vulnerabilities in these price feeds.

In a price oracle attack, the attacker uses a flash loan to manipulate the price of an asset temporarily. By artificially inflating or deflating its value, the hacker can exploit the protocol for profit. For example, they may overvalue their collateral to withdraw more funds than they are entitled to or undervalue an asset to buy it on the cheap.

Famous Flash Loan Attacks

Flash loan attacks are among the most high-profile security breaches in DeFi and they emphasize the risks associated with this new technology. Here are three notable examples from the past few years:

1. Euler Finance – $197M Stolen (2023)

In March 2023, Euler Finance, a decentralized finance (DeFi) platform on Ethereum, fell victim to the largest flash loan attack in crypto history, resulting in the theft of $197 million. In addition, it revealed a flaw in Euler’s token mechanics involving eTokens, which represent collateral, and dTokens, used in debt tracking.

How It Happened

The attacker leveraged Euler’s “DonateToReserve” function, which mistakenly destroyed eTokens without affecting dTokens. Consequently, this created a discrepancy, misrepresenting borrowed assets as collateralized. Here’s how the attacker orchestrated the heist:

  1. Token Manipulation: Borrowing $30 million in DAI from Aave, the attacker deposited $20 million into Euler, generating eDAI tokens. They then borrowed 10 times the value of their deposit.
  2. Re-borrowing and Repayment Loops: The attacker used the remaining $10 million to repay some dDAI debt, followed by repeated borrowing within the same transaction to amplify the exploit.
  3. Funds Concealment: The attacker funneled stolen funds through Tornado Cash (which was still functional at the time), a crypto mixer, complicating traceability.

Unexpected Twist

Surprisingly, the hacker, identifying as “Jacob,” returned all stolen funds shortly after the attack, citing regret. They repaid Euler in multiple transactions totaling 54,000 ETH and additional DAI, restoring the stolen assets.

2. Cream Finance – $130M Stolen (2021)

Cream Finance is a cross-chain lending and borrowing platform. In October 2021, it faced a sophisticated flash loan attack that led to a loss of over $260 million, with the attacker profiting $130 million. As a result, the incident highlighted vulnerabilities in multi-protocol integrations and smart contract designs.

How It Happened

The attacker employed an elaborate strategy across multiple platforms to siphon funds:

  1. Initial Setup: Flash-minted $500M DAI from MakerDAO and deposited it into Yearn’s 4-Curve pool, then into the Yearn yUSD vault, and further into Cream’s yUSD market as collateral.
  2. Leveraging Assets: Borrowed 500,000+ ETH from Aave v2 using another smart contract and deposited it into Cream’s ETH market.
  3. Collateral Manipulation: Borrowed and deposited yUSD multiple times across two accounts, inflating collateral and liquidity.
  4. Exploiting Liquidity: Withdrew Yearn 4-Curve and borrowed all available liquidity from Account 1.
  5. Final Steps: Swapped stolen funds for DAI and WETH, repaid Aave and MakerDAO loans, and escaped with the profits.

Cream Finance responded swiftly with a compensation plan to mitigate user losses and strengthen its security measures. In addition, the company conducted audits and improved protocol defenses. Despite these efforts, the attack significantly dented Cream Finance’s reputation in the DeFi community.

3. Beanstalk – $80M Stolen (2022)

In April 2022, Beanstalk, a decentralized stablecoin protocol, was exploited for $182 million in one of the most daring flash loan attacks. The attacker netted $80 million by exploiting governance tokens. Furthermore, this demonstrated the risks associated with control mechanisms in DeFi.

How It Happened

Beanstalk’s governance model allowed users to deposit assets into a “silo” to gain voting power. The attacker leveraged a vulnerability in its design to take control of the protocol:

  1. Flash Loan Injection: The attacker borrowed $1 billion in flash loans from Aave and used them to acquire 67% of the voting power in Beanstalk.
  2. Self-Serving Proposal: Using the voting power, the attacker proposed and approved a submission that drained the funds from the silo.
  3. Funds Drainage: After executing the heist, the attacker repaid their initial loan, which left them with roughly $80 million in profit.

The attack drained Beanstalk’s reserves and left the protocol in financial disarray. Lastly, this incident underscored the vulnerabilities in DeFi governance models and the need for better safeguards against malicious actors.

Closing Thoughts

Flash loans are a groundbreaking innovation that could only exist in the world of DeFi. They offer unparalleled financial flexibility and enable advanced trading strategies without requiring upfront capital. However, as seen in the examples of flash loan attacks, they also pose risks that developers and users must address.

In conclusion, flash loans are just one example of the unique services available in blockchain. As DeFi continues to develop, we can expect even more innovations that push the boundaries of traditional finance.

Was this Article helpful? Yes No
Thank you for your feedback. 0% 0%