Flash Loan Exploit Architecture: Anatomy of On-Chain Attacks and Mitigation Patterns

Frequently Asked Questions

01.What is a flash loan in DeFi?

A flash loan is an uncollateralized loan that must be borrowed and repaid within a single Ethereum transaction. If the borrower fails to repay the principal plus the protocol fee before the transaction concludes, the entire transaction reverts, including the original borrow. Aave and Balancer are the two most-used flash loan providers as of January 2024.

02.Why are flash loans the dominant attack vector for DeFi exploits?

Flash loans grant attackers temporary access to capital far exceeding their balance, which lets them manipulate AMM pool prices, drain low-liquidity oracles, and trigger collateral liquidations at scale. The attack would be capital-prohibitive without the flash loan primitive. The economic harm is borne by the protocol whose oracle or pricing logic was manipulated, not by the flash loan provider.

03.How do protocols mitigate flash loan attacks at the engineering layer?

Engineering mitigations include using time-weighted average price oracles instead of spot prices, sourcing prices from Chainlink rather than on-chain AMM pools, enforcing per-block transaction limits on sensitive functions, requiring multi-block delays for large state changes, and integrating circuit breakers that pause the protocol when invariants are violated. No single mitigation is sufficient; defense in depth is required.