Flash Loan Attacks: How DeFi Hackers Steal Millions in Seconds

When you hear about a flash loan attack, a type of blockchain exploit where attackers borrow large sums of crypto without collateral, repay it within the same transaction, and steal the rest. It’s not magic—it’s code being twisted to break the rules of decentralized finance. These attacks don’t need a hack into a wallet or a phishing scam. They use the very design of DeFi protocols to turn borrowed money into stolen profit—all in one block. And they’re not rare. In 2022 alone, over $2 billion was lost to flash loan attacks, mostly on Ethereum and Binance Smart Chain.

At the heart of every flash loan, a short-term, collateral-free loan that must be borrowed and repaid in the same blockchain transaction is a smart contract that allows anyone to take out a loan as long as they return it immediately. That’s fine when used for arbitrage or liquidations—like in the Aave, a leading DeFi lending protocol that pioneered flash loans and is often targeted in attacks protocol. But bad actors exploit this feature by borrowing millions, manipulating token prices on decentralized exchanges like Uniswap, and triggering liquidations or draining liquidity pools. Once the theft is done, they repay the loan and vanish with the profit. No one can trace the money back to them because the whole thing happens in one atomic transaction.

It’s not just about big names like Aave or Compound. Smaller DeFi projects with weak price oracles and low liquidity are the easiest targets. One attacker used a flash loan to inflate the price of a token on a small DEX, then used that fake price to borrow more from another protocol. The loop kept going until the pool was empty. These attacks aren’t getting harder to pull off—they’re getting easier because new DeFi apps launch with rushed code and no security audits.

So what’s the fix? Better oracles, transaction monitoring, and stricter limits on loan sizes. But the truth is, as long as flash loans exist, someone will find a way to abuse them. The real question isn’t whether another attack will happen—it’s when. And that’s why the posts below dig into real cases, how they were pulled off, and what you need to know if you’re using DeFi apps today. You’ll see exactly how the math breaks down, which protocols got hit hardest, and what you can do to avoid becoming part of the next headline.