Flash Attacks

A flash attack exploits a flash loan to manipulate a decentralized exchange or lending protocol within a single atomic transaction, borrowing enormous sums without collateral and repaying in the same block. The attacker profits by moving prices, draining reserves, or exposing arbitrage gaps that exist only during the manipulation.

Concept	Definition
Attack Surface	Protocols with price feeds dependent on liquidity pools
Typical Loan Size	Millions in stablecoins or tokens borrowed and repaid in seconds
Profit Window	Single transaction block (~12 seconds on Ethereum)
Vulnerability	Using liquidity pool spot prices as oracle
Defense	Time-weighted average prices (TWAP), external oracles, multi-block checks
First Major Attack	bZx (February 2020, ~$355k profit)

How flash attacks work: the mechanics

A flash attack unfolds in stages within a single transaction:

The attacker calls a flash loan contract, borrowing millions in stablecoins or major tokens.
Using this capital, they dump the borrowed asset into a liquidity pool, crushing its price temporarily.
A victim protocol that relies on that pool’s spot price as a price feed now reports a distorted valuation. The attacker exploits this mispricing—perhaps minting synthetic assets at inflated collateral ratios, swapping at favorable rates, or liquidating positions at artificially low prices.
The attacker unwinds the dump (or executes a counterrade elsewhere to profit).
The loan plus a small fee (0.05–0.09%) is repaid.
The transaction either succeeds atomically (all steps happen or none do) or fails and reverts.

The genius of this attack is that it requires no initial capital. Traditional market manipulation requires you to hold a position through settlement risk; flash attacks eliminate that by completing in a single block.

The bZx case: February 2020

The first widely-publicized flash attack targeted bZx, a margin trading protocol. The attacker borrowed 7,500 ETH ($1.5 million), dumped it on Uniswap to crash prices, and then executed a short position on bZx at the artificially low price. When prices recovered, the short was liquidated in the attacker’s favor. The total profit was modest ($355k), but it exposed a fundamental flaw in any on-chain oracle design that didn’t account for same-block manipulation.

Following this attack, DeFi protocols scrambled to implement time-weighted average prices (TWAP oracles) and other safeguards. Yet vulnerabilities persisted.

Why protocols remain exposed

Even with TWAP oracles in place, flash attacks succeed against protocols that:

Rely on external liquidity pools without sanity checks on price movement within a single block
Don’t isolate collateral from liquidation calculations across the same transaction
Lack secondary price validation (e.g., no fallback oracle if the primary one moves >10% in one block)

A sophisticated attacker can exploit composability—chaining multiple swaps, loans, and derivative positions to create cascading effects. One 2021 attack on Pancakeswap used flash loans plus a price manipulation to drain over $45 million from liquidity pools.

Defense layers in modern DeFi

Mature protocols now layer defenses:

TWAP (time-weighted average price): Average the price over the last N blocks rather than using the spot price. This forces attackers to sustain a dump for multiple blocks, raising costs.
Chainlink / Band Protocol oracle fallbacks: Use independent, decentralized price feeds not dependent on any single liquidity pool.
Sanity checks on single-transaction price moves: If price moves >5%, delay liquidation or require manual verification.
Isolated collateral per-block: Liquidations triggered in block N only affect collateral deposited before block N−1.
Flash loan fees: Many lending protocols (Aave, dYdX) charge 0.05–0.09% on flash loans, raising the cost of large attacks.

Broader DeFi risk implications

Flash attacks highlight the tension at the heart of DeFi: instant settlement finality and permissionless composability create opportunities for sophisticated griefing. Unlike traditional clearinghouses, which settle trades across multiple days and can unwind risky positions, DeFi protocols must assume every actor is potentially adversarial and every oracle can be attacked.

This forces developers toward over-collateralization (requiring 150%+ backing) and conservative liquidation thresholds, raising capital costs for legitimate users. Some protocols accept this overhead as the price of decentralization; others argue for layer-2 protocols or bridges that batch transactions and delay finality, reintroducing some settlement lag to reduce atomic-transaction attack surface.

Flash Loan — Uncollateralized loan that must be repaid in the same transaction
Liquidity Pool — Reserve of tokens in a DEX
DeFi Composability — Ability to chain DeFi primitives together
Decentralized Exchange — Non-custodial token trading
Liquidation — Forced sale of collateral at distressed prices

Wider context

Cryptocurrency Exchange — Centralized vs. decentralized trading venues
Arbitrage DeFi — Legitimate cross-venue price discrepancy trading
DeFi Tax Implications — Reporting attack gains
Smart Contract — Code that executes flash loan logic
Flash Crash 2010 — Traditional markets analog to DeFi manipulation