Flash loan attack explained | Part1 | DeFi: In & Out

Flash Loan attack explained

Table of Contents

Read Time: 5 minutes

Decentralized finance is gaining popularity and with increased popularity, it is being chased by evil eyes. Many of the incidents happened over time and DeFi hacks are rising rapidly like fire, and among different hacks, Flash loan attack is one common name. At the beginning of the series “DeFi: In & Out”, Flash loan attack explained in this part.

Flash Loan Attacks Explained

Diving Deep into Flash Loan Attacks and exploring it’s Its vicious side

After 14th Feb(first attack on bZx) and 18th Feb(2nd attack on bZx), this entire idea of uncollateralized loans of heavy amount instantly has become fiercely debatable.

While on one hand proponents believe flash loans are an extremely effective innovation, the fact that flash loans played a major role in the bZx hack cannot be denied either.

Both of the attacks on bZx followed almost similar patterns and resulted in a loss of $𝟵𝟱𝟰,𝟬𝟬𝟬 in just a matter of 4 days.

To begin with, let’s first understand what exactly are Flash Loans.

Understanding Flash Loans

While speaking about Loans, the very obvious kinds are Secured Loans & Unsecured Loans.

Secured loans require collateral from the borrowers. Moreover secured loans always wish to ensure minimum risk due to which heavy loans are often not accepted.

In other words, since secured loans ensure maximum security and minimum risk, taking out an extensive loan is often not possible.

Whereas, on the other hand, an unsecured loan doesn’t’ really demand any collateral and also accepts heavy loans but at the same time is extremely risky for lenders.

So, under which category do Flash Loans belong?

Well, in simpler terms, Flash loans are kind of Unsecured Loans. You can literally borrow any amount without providing any collateral or passing any credit check.

Yep, it’s that simple.

However, there’s a CATCH.

The way Flash Loans ensure security might not be very intuitive at the very first glance.

Flash loans ensure that the entire procedure of borrowing and repaying of the loan must be done in the SAME TRANSACTION.

So you can borrow as much amount you wish through a flash loan, use it, but must pay back the borrowed amount within the SAME transaction.

Source: Finematics

What if you don’t PAY back the Flash Loan?

Truth be told, that’s not really an option.

This is because Flash loans must be paid back in the same transaction or else the entire will be reverted back.

In other words, if the loan is not paid back within the same transaction, it’s as if the loan was given to the user. Everything goes back to as it was.

Not really Intuitive, Right?

Well, this is one of the many interesting functionalities that is executable and achievable with Smart Contracts in the world of Blockchain. To be precise, EIP 140 does this magic.

Now the quite obvious question that might pop in your brain is: If Flash loans ensure such effective layers of security, how can there be Flash Loan Attacks?

Diving deep into Flash Loan Attacks

The best way to understand how a Flash Loan attack is executed is by observing a real-world flash loan attack.

The crypto world witnessed 2 remarkable flash loan attacks this year with an almost similar pattern.

Before we evaluate the flash loan attack, it’s imperative to note that

As discussed earlier, there is nothing wrong with FLASH LOANS in particular. They aren’t vulnerable themselves but are one of the many reason behind some massive attacks.

Just in case you didn’t really get the gist of the sentence above, be patient and stay with me on this. There will definitely be a sudden click in your brain as I explain the procedure of flash loan attacks and you will understand it all.

I promise

All right let’s begin now.

Understanding the bZx Attack:

The margin trading protocol bZx witnessed 2 massive flash loan attacks this year. Since both of these attacks followed an almost alike pattern, let’s understand the first one to get the gist of how it was executed.

Source: BitcoinExchangeGuide

First of all, the attacker took a huge Ether flash loan of 10,000 ETH from dYdX.

  1. Once the attacker had access to this enormous amount of ETH, this entire ETH amount was then divided and sent to 2 other lending platforms, i.e., Fulcrum & Compound.
  2. The attacker used 5500 ETH as collateral to take a loan of 112 WBTC from Compound.
  3. A small portion of this loan amount, i.e., 1300 was sent to Bzx’s Fulcrum trading platform. This was specifically done to short ETH against WBTC.
  4. The attacker was now ready to initiate his next move to cause a massive slippage within the market. Hence, 5637 ETH was borrowed using Kyber’s Uniswap for almost 51 WBTC.

Note: Slippage can simply be understood as the difference between the Expected price and the price at which the trade is actually performed.

Remember that the attacker took some WBTC from Compound initially(Step 3)? Well, it was finally the time to make some profit using those WBTC.

  1. Therefore, the attacker simply swapped the 112 WBTC on Uniswap. Although the loan of 112 WBTC was taken for 5500 ETH(Step 3), after the massive slippage, the attacker was able to swap it for 6871 ETH on Uniswap.

Through this entire hack, the attacker grabbed a heavy amount of 1193 ETH. In other words, the attacker was able to make an incredibly high profit of $318,000 approximately.

  1. Finally, the flash loan of 10,000 ETH from dYdX was paid back.

Woah. I guess that was a lot to consume. Do not stress out if you didn’t get the whole deal at the very first glance.

FLASH LOANS: Boon or Curse

What exactly is wrong with Flash Loan Attacks?

A simple answer to this question would be, NOTHING.


Well, there is nothing really wrong with Flash Loans in particular. They execute as expected.

These are simply unsecured loans that are given out to the borrowers without any collateral and ensure that the entire procedure of borrowing and repaying of the loan must be done in the SAME TRANSACTION.

The problem lies in the fact that flash loans make anyone capable of accessing an enormous amount of funds without any collateral.

And these funds can then quite easily be used to manipulate the entire market, cause massive slippage, etc.

Defi has been expanding its boundaries with an incredibly rapid speed and it’s now more imperative than ever to gain a better and effective understanding of the Decentralized finance ecosystem.

However, there is no denying the fact that DeFi not only comes up with new terminologies frequently but also becomes vulnerable to new attack patterns.

Therefore, in order to stay ahead of the curve, it’s very crucial to keep a sharp eye on any such DeFi events or terms.

Well, this DeFi Security and Awareness series help you exactly with that.

Get started with this Defi series and gain a better understanding of the DeFi ecosystem.

  • The list will be updated soon.

QuillAudits is accomplished in smart contract audits and security solutions to different industries including DeFi enterprises. Click below to book a free consultation session with QuillAudits


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *



Description: This type of security vulnerability can occur when untrusted data is used in a smart contract without proper validation or sanitization, allowing an attacker to execute unauthorized functions or modify the state of the contract.


QuillAudits 🤝 Lovely Launchpad

We are pleased to extend our #partnership with Lovely Launchpad and await great possibilities to secure the #Web3 ecosystem & beyond.

More About Lovely Launchpad:

#web3community #collaboration

As Web3 developers, it's critical to prioritize smart contract security to protect users' funds and maintain the integrity of the blockchain.

Threat modelling and Risk assessment are two key processes that can help identify potential risks and…


@safemoon has been exploited due to a public burn issue with around ~$8.9 M loss.

With the exploited public burn bug, the upgrade was initiated by the official SafeMoon: Deployer.

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+