Flash Loan Attack Explained – DeFi: In & Out

Flash Loan Attack Explained – DeFi: In & Out

Flash Loan Attack Explained – DeFi: In & Out

Flash Loan Attack Explained – DeFi: In & Out

Flash Loan Attack Explained – DeFi: In & Out

Read Time: 5 minutes

Decentralized finance is gaining popularity and with increased popularity, it is being chased by evil eyes. Many of the incidents happened over time and DeFi hacks are rising rapidly like fire, and among different hacks, Flash loan attack is one common name. At the beginning of the series “DeFi: In & Out”, Flash loan attack is explained in this part.

Flash Loan Attacks Explained

Diving Deep into Flash Loan Attacks and Exploring it’s Its Vicious Side

After 14th Feb(first attack on bZx) and 18th Feb(2nd attack on bZx), this entire idea of uncollateralized loans of heavy amount instantly has become fiercely debatable.

While on one hand proponents believe flash loans are an extremely effective innovation, the fact that flash loans played a major role in the bZx hack cannot be denied either.

Both of the attacks on bZx followed almost similar patterns and resulted in a loss of $𝟵𝟱𝟰,𝟬𝟬𝟬 in just a matter of 4 days.

To begin with, let’s first understand what exactly are Flash Loans.

Understanding Flash Loans

When speaking about Loans, the very obvious kinds are Secured Loans and Unsecured Loans.

Secured loans require collateral from the borrowers. Moreover, secured loans always wish to ensure minimum risk, due to which heavy loans are often not accepted.

In other words, since secured loans ensure maximum security and minimum risk, taking out an extensive loan is often not possible.

Whereas, on the other hand, an unsecured loan doesn’t’ really demand any collateral and also accepts heavy loans but at the same time is extremely risky for lenders.

So, under which category do Flash Loans belong?

Well, in simpler terms, Flash loans are kind of Unsecured Loans. You can literally borrow any amount without providing any collateral or passing any credit check.

Yep, it’s that simple.

However, there’s a CATCH.

The way Flash Loans ensure security might not be very intuitive at the very first glance.

Flash loans ensure that the entire procedure of borrowing and repaying of the loan must be done in the SAME TRANSACTION.

So you can borrow as much amount you wish through a flash loan, use it, but must pay back the borrowed amount within the SAME transaction.

Source: Finematics

What if you don’t PAY back the Flash Loan?

Truth be told, that’s not really an option.

This is because Flash loans must be paid back in the same transaction or else the entire will be reverted back.

In other words, if the loan is not paid back within the same transaction, it’s as if the loan was given to the user. Everything goes back to as it was.

Not really Intuitive, Right?

Well, this is one of the many interesting functionalities that is executable and achievable with Smart Contracts in the world of Blockchain. To be precise, EIP 140 does this magic.

Now the quite obvious question that might pop in your brain is: If Flash loans ensure such effective layers of security, how can there be Flash Loan Attacks?

Diving deep into Flash Loan Attacks

The best way to understand how a Flash Loan attack is executed is by observing a real-world flash loan attack.

The crypto world witnessed 2 remarkable flash loan attacks this year with an almost similar pattern.

Before we evaluate the flash loan attack, it’s imperative to note that

As discussed earlier, there is nothing wrong with FLASH LOANS in particular. They aren’t vulnerable themselves but are one of the many reason behind some massive attacks.

Just in case you didn’t really get the gist of the sentence above, be patient and stay with me on this. There will definitely be a sudden click in your brain as I explain the procedure of flash loan attacks and you will understand it all.

I promise

All right let’s begin now.

Understanding the bZx Attack:

The margin trading protocol bZx witnessed 2 massive flash loan attacks this year. Since both of these attacks followed an almost alike pattern, let’s understand the first one to get the gist of how it was executed.

Source: BitcoinExchangeGuide

First of all, the attacker took a huge Ether flash loan of 10,000 ETH from dYdX.

  1. Once the attacker had access to this enormous amount of ETH, this entire ETH amount was then divided and sent to 2 other lending platforms, i.e., Fulcrum & Compound.
  2. The attacker used 5500 ETH as collateral to take a loan of 112 WBTC from Compound.
  3. A small portion of this loan amount, i.e., 1300 was sent to Bzx’s Fulcrum trading platform. This was specifically done to short ETH against WBTC.
  4. The attacker was now ready to initiate his next move to cause a massive slippage within the market. Hence, 5637 ETH was borrowed using Kyber’s Uniswap for almost 51 WBTC.

Note: Slippage can simply be understood as the difference between the Expected price and the price at which the trade is actually performed.

Remember that the attacker took some WBTC from Compound initially(Step 3)? Well, it was finally the time to make some profit using those WBTC.

  1. Therefore, the attacker simply swapped the 112 WBTC on Uniswap. Although the loan of 112 WBTC was taken for 5500 ETH(Step 3), after the massive slippage, the attacker was able to swap it for 6871 ETH on Uniswap.

Through this entire hack, the attacker grabbed a heavy amount of 1193 ETH. In other words, the attacker was able to make an incredibly high profit of $318,000 approximately.

  1. Finally, the flash loan of 10,000 ETH from dYdX was paid back.

Woah. I guess that was a lot to consume. Do not stress out if you didn’t get the whole deal at the very first glance.

FLASH LOANS: Boon or Curse

What exactly is wrong with Flash Loan Attacks?

A simple answer to this question would be, NOTHING.


Well, there is nothing really wrong with Flash Loans in particular. They execute as expected.

These are simply unsecured loans that are given out to the borrowers without any collateral and ensure that the entire procedure of borrowing and repaying of the loan must be done in the SAME TRANSACTION.

The problem lies in the fact that flash loans make anyone capable of accessing an enormous amount of funds without any collateral.

And these funds can then quite easily be used to manipulate the entire market, cause massive slippage, etc.

Defi has been expanding its boundaries with an incredibly rapid speed and it’s now more imperative than ever to gain a better and effective understanding of the Decentralized finance ecosystem.

However, there is no denying the fact that DeFi not only comes up with new terminologies frequently but also becomes vulnerable to new attack patterns.

Therefore, in order to stay ahead of the curve, it’s very crucial to keep a sharp eye on any such DeFi events or terms.

Well, this DeFi Security and Awareness series help you exactly with that.

Get started with this Defi series and gain a better understanding of the DeFi ecosystem.

  • The list will be updated soon.

QuillAudits is accomplished in smart contract audits and security solutions to different industries including DeFi enterprises. Click below to book a free consultation session with QuillAudits


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+