Flash Loan

The defining feature of a flash loan is its atomicity: the borrow, execution, and repayment must all succeed within a single transaction block. If any step fails, the entire transaction is reverted, eliminating default risk for the liquidity pool. This is enforced by the blockchain's consensus rules, making the loan trustless and non-custodial.

• No Partial Execution: The transaction either completes fully or not at all.
• State Reversion: Failed transactions leave no trace on the blockchain state, ensuring funds are never at risk.

Unlike traditional or overcollateralized DeFi loans, flash loans require no upfront collateral from the borrower. Access to capital is permissionless, limited only by the liquidity available in the supporting protocol (e.g., Aave, dYdX, Uniswap). The borrower only needs to pay the transaction gas fees and any protocol-specific fees.

This enables strategies that would be capital-prohibitive otherwise, such as:

• Arbitrage: Exploiting price differences across DEXs.
• Collateral Swaps: Refinancing debt positions instantly.
• Self-Liquidation: Closing underwater positions without extra capital.

Flash loans are a primitive for DeFi composability, allowing complex multi-protocol interactions in one atomic bundle. This is most famously used for arbitrage, where a borrower:

1. Borrows a large sum of Asset A.
2. Swaps A for Asset B on DEX 1 at a favorable rate.
3. Swaps B back to A on DEX 2 at a better rate.
4. Repays the flash loan, keeping the profit.

This mechanism helps enforce market efficiency by quickly correcting price discrepancies across decentralized exchanges and lending markets.

The security of flash loans is protocol-centric, not borrower-centric. Risk is managed through smart contract logic, not credit checks. The primary risks are:

• Smart Contract Risk: Bugs in the flash loan pool or the borrower's contract can lead to fund loss.
• Oracle Manipulation: Attacks that exploit price feed latency during the transaction.
• Gas Price Volatility: High network congestion can cause profitable transactions to fail.

For lenders (liquidity providers), the risk is minimal as funds are never released without guaranteed repayment in the same atomic operation.

Flash loan protocols generate revenue through fees, which are typically a small percentage of the borrowed amount. These are the primary costs for the borrower:

• Protocol Fee: A fixed percentage (e.g., 0.09% on Aave V3) charged on the loan principal, paid to the protocol treasury and liquidity providers.
• Gas Fees: The Ethereum (or other L1/L2) network transaction cost, which can be significant for complex operations.

The profitability of a flash loan strategy must exceed the sum of these fees. Some protocols also implement flash minting, where tokens are created and burned within the transaction, often with a different fee model.

While arbitrage is the most common use, flash loans enable other sophisticated DeFi operations:

• Liquidation: Borrowing funds to liquidate an undercollateralized loan position, claiming the liquidation bonus.
• Collateral Swap: In lending protocols like MakerDAO, a user can use a flash loan to swap the collateral backing a CDP without closing the position.
• Debt Refinancing: Instantly moving a debt position from one protocol to another to secure a lower interest rate.
• Wallet Balancer: Combining multiple token balances into a single asset within one transaction.
• Governance Attacks: A controversial use case involving borrowing massive voting power to pass or defeat proposals, though many protocols now have defenses.

The most common use case, where a trader exploits price differences for the same asset across multiple decentralized exchanges (DEXs) or protocols. A flash loan provides the capital to buy low on one platform and sell high on another, all within one transaction, capturing the spread as profit after repaying the loan. For example, buying ETH on Uniswap where it's cheaper and instantly selling it on SushiSwap where it's more expensive.

Allows a user to change the collateral backing a loan in a lending protocol like Aave or Compound without closing their position. Using a flash loan, a user can:

• Borrow asset A (e.g., USDC) to repay a debt.
• Withdraw their original collateral (e.g., WBTC).
• Sell the WBTC for a different asset (e.g., wETH).
• Deposit wETH as new collateral and re-borrow USDC to repay the flash loan. This enables portfolio rebalancing and risk management without personal capital.

Flash loans empower liquidators to execute profitable liquidation of undercollateralized positions without upfront capital. The process involves:

• Taking a flash loan of the borrowed asset.
• Repaying the unhealthy loan on the lending platform.
• Receiving the liquidated collateral at a discount as a reward.
• Selling the collateral to repay the flash loan, keeping the difference. This increases market efficiency and protocol safety by ensuring liquidations occur even when capital is scarce.

A defensive strategy where a user proactively liquidates their own undercollateralized position to avoid penalty fees from a third-party liquidator. Using a flash loan, the user can repay their debt, reclaim their collateral, sell a portion of it to cover the loan, and retain the remainder. This minimizes loss compared to a standard liquidation where a larger discount is applied.

Flash loans can be used to temporarily borrow massive amounts of a governance token to manipulate a decentralized autonomous organization (DAO) vote. The borrower acquires voting power for a single block, passes a proposal favorable to them (e.g., draining treasury funds), and repays the loan. This highlights a vulnerability in on-chain governance models that don't account for transient capital.

Flash loans are infamous for enabling large-scale exploits due to their ability to temporarily control massive, uncollateralized capital.

• Oracle Manipulation: Borrow vast sums to skew an oracle price (e.g., on a DEX) to liquidate positions or mint excess assets.
• Governance Attack: Borrow enough voting power (in token form) to pass a malicious proposal in a single transaction.
• Collateral Swap Exploit: Use a flash loan to manipulate collateral ratios or exploit logic errors in lending/borrowing contracts.
• Key Insight: The loan isn't the vulnerability; it's the amplification of existing smart contract logic flaws.

Attackers use flash loans to temporarily acquire a large voting stake in a decentralized autonomous organization (DAO) or protocol. This allows them to:

• Pass malicious proposals that drain the treasury or change critical parameters.
• Delegate voting power to swing a vote in their favor.
• Execute a governance attack without the capital outlay, as the borrowed governance tokens are returned at the transaction's end. This undermines the sybil-resistance assumptions of token-weighted voting.

Flash loans can be used to trigger mass liquidations in a predatory manner. An attacker can:

• Borrow a large sum to deliberately crash an asset's price via market manipulation.
• Target over-leveraged positions on lending platforms that become undercollateralized due to the artificial price drop.
• Act as the liquidator, collecting liquidation bonuses on the affected positions.
• This creates a self-reinforcing cycle that can destabilize a protocol and harm legitimate users.

While not exclusive to flash loans, their large capital scale amplifies reentrancy risks. An attacker's callback function, executed after receiving flash-loaned funds, can re-enter a vulnerable protocol function before the initial state changes are finalized. Combined with flash loan capital, this can drain entire contract balances. Defenses include using the Checks-Effects-Interactions pattern and reentrancy guards.

Beyond single-protocol hacks, flash loans pose broader risks:

• Market Instability: Large, rapid capital movements can cause extreme volatility.
• Protocol Design Flaws: They act as a stress test, exposing assumptions about capital costs and oracle security.
• Reputation Damage: High-profile attacks can erode trust in DeFi. The low-cost, high-impact nature of these attacks makes them a persistent threat, requiring constant vigilance in smart contract auditing and economic design.