Recently, I saw someone ask about flash loans again, so I might as well have a good discussion on this topic.

In fact, flash loans have been around in DeFi for some time. Aave first introduced this concept in 2020, and it was subsequently adopted by other lending protocols. Many people were initially attracted to it because it broke the limitations of traditional finance—no collateral required, no credit checks, and large sums of funds can be borrowed. It sounds appealing, but the underlying mechanism is actually quite clever.

Simply put, a flash loan is a collateral-free loan executed within a single blockchain transaction via smart contracts. You borrow the funds, and must repay them before the transaction ends; otherwise, the entire process is automatically reversed, as if nothing happened. Thanks to this atomic design, lenders face no risk, enabling zero-threshold lending.

This was originally an innovative feature supporting arbitrage, liquidity management, and other legitimate uses. But you can also guess that some people started to exploit it for malicious purposes.

I’m most impressed by the flash loan attacks in 2020. One attacker borrowed ETH via a flash loan from dYdX, then split the funds across Compound and Fulcrum. On Fulcrum, they shorted ETH against WBTC, while simultaneously buying a large amount of WBTC from Uniswap through Kyber. Due to insufficient liquidity for WBTC on Uniswap, this operation directly pushed WBTC’s price up. As a result, Fulcrum was forced to buy WBTC at a price higher than the market rate, and the attacker profited from the arbitrage—repaying the ETH loan and netting a profit.

Another attack targeted the bZX protocol, where the attacker used a flash loan to buy large amounts of sUSD on Kyber, directly pushing the stablecoin’s price from $1 to $2. Since smart contracts only look at on-chain prices and don’t understand the actual peg of stablecoins, the attacker could then borrow more ETH with the doubled sUSD, and finally run away. The entire process happened within a single block.

Seeing these cases, many started to worry that flash loans could become a ticking time bomb for DeFi. But in reality, defensive measures are also evolving.

The most straightforward solution is to use decentralized oracles. Instead of trusting a single DEX’s price, aggregate “real prices” from multiple data sources. This way, even if someone tries to manipulate the price, the oracle can detect anomalies. Another approach is to increase the frequency of price updates, keeping prices as current as possible and reducing the window for manipulation.

More cleverly, there’s Time-Weighted Average Price (TWAP). This method uses the average price over multiple blocks rather than a single snapshot, making it much more costly for attackers to manipulate TWAP. Some protocols even require transactions to span across two blocks to complete, further increasing attack difficulty.

Of course, as flash loan attacks become more sophisticated, defense mechanisms are continuously upgrading. Some protocols now integrate attack detection tools that can identify abnormal trading patterns in real time.

Ultimately, DeFi is still a young ecosystem. Flash loans themselves aren’t the problem; the key is designing safer protocols. Every attack incident actually pushes the industry forward. I believe that as protective measures improve, flash loans will ultimately return to their original purpose—supporting innovative financial applications—rather than becoming a hacker’s ATM.