What Are Flash Loans: Crypto Borrow and Flash Loan Attacks
On April 17, 2022, an anonymous attacker borrowed more than $1 billion in a single atomic transaction from Aave, Uniswap and SushiSwap, bought up enough Stalk governance tokens on the Beanstalk stablecoin protocol to pass a malicious proposal, drained the treasury, and repaid everything before the block closed. Net damage: $182 million. Time elapsed: one Ethereum block, roughly 13 seconds. The attacker never owned a dollar of their own. This is what a flash loan is, and it is also why the primitive has such a strange reputation in DeFi.
So what are flash loans, exactly? A flash loan is an uncollateralized loan that only exists because blockchains are atomic. You borrow any amount of tokens you want, use them, and pay back everything inside a single transaction. If you fail to pay back the principal plus fee, the entire transaction is reverted as if nothing happened. No credit check, no upfront collateral, no KYC. Since flash loans don't need any of those things, they work as a type of loan that has no counterpart in traditional finance. In this guide on what are flash loans in the DeFi ecosystem: how they actually work in EVM code, real use cases, the biggest exploits from 2020 through 2025, how Aave, Balancer and Uniswap compare as providers, and how protocols defend themselves in 2026.
What is a flash loan and how it works
A flash loan is a type of uncollateralized loan unique to decentralized finance, and it is the clearest example of a flash-style primitive in the DeFi market. You call a function on a lending protocol, the protocol transfers the requested amount of tokens into your contract, your contract runs arbitrary logic with those funds, and then the protocol pulls the principal plus a small fee back out before the transaction ends. If the pool cannot collect what it is owed, the entire transaction is reverted and no state change survives. From the protocol's point of view, the loan never happened. Flash loans have a controversial reputation because the same primitive that lets developers borrow assets without upfront collateral also lets attackers reach bugs that used to require real money to exploit.
The term first appeared in Marble Protocol's 2018 design for a "smart contract bank" that would let developers execute atomic uncollateralized loans on Ethereum. But flash loans only became mainstream when Aave launched them as part of Aave V1 on Ethereum mainnet in January 2020. Aave's blog post announcing the feature, written by Marc Zeller, framed it as a way to give retail DeFi users the same instant liquidity access that hedge funds had always had in traditional finance. Within a year, Aave had processed roughly $2 billion in flash loans. By 2025 the protocol's flash loan volume had grown to about $7.5 billion in a single rolling three-month window, per TradingView data.
How flash loans work in a single transaction
Every blockchain transaction is atomic. Either every line of code inside it runs successfully, or none of it does. Flash loans weaponize this property. A caller deploys a contract that implements the provider's receiver interface and then invokes a function like `flashLoan()` on the lending pool. Here is the sequence:
1. Your contract calls `flashLoan()` on Aave's pool, asking for a specific amount of tokens.
2. The pool transfers those tokens to your contract and calls your `executeOperation` callback.
3. Your contract runs whatever arbitrary logic it needs to: a DEX swap, a liquidation, a governance vote.
4. Before the callback returns, your contract approves the pool to pull back the principal plus the premium fee.
5. The pool pulls the funds. If the balance is short by even one wei, the whole transaction reverts.
The flash loan is not possible on any chain that does not support atomic transactions, which is why it remains an EVM-native primitive. The entire transaction lives and dies on atomicity. There is no scenario where a dev initiate a flash loan, borrow funds and then fail to repay the loan, because the blockchain will not let that state persist. The entire transaction is reverted, and everyone walks away as if nothing occurred. That is also why flash loans don't need upfront collateral, credit scoring, or trust in the borrower. If the borrower fails to pay back the loan by the end of the transaction, the loan is not repaid and the state is rolled back. Defaulting on a flash loan is mathematically impossible inside collateralized lending pools that support this mechanic.
The 2020 ERC-3156 standard formalized the flash loan interface across Ethereum with two contracts: `IERC3156FlashLender` (what the pool must implement) and `IERC3156FlashBorrower` (what your contract must implement). The standard unified what had been a fragmented set of flash loan implementations with inconsistent push/pull repayment models.
How flash loans used in DeFi every day look
Most flash loan volume is boring. The overwhelming majority of flash loans used across the DeFi market goes toward legitimate strategies that benefit from short-term access to large amounts of tokens. Flash loans allow ordinary users to take out a flash loan and punch above their weight in exactly the same way a hedge fund does inside traditional markets, except without the relationship banking. Protocols like Aave support flash loans natively, and DeFi protocols like Aave have turned the mechanic into a core building block for on-chain strategies.
- Arbitrage: the biggest use case. Bots spot a price difference between two DEXes for the same pair, flash loan enough capital to close the gap, execute a cross-DEX trade, and take home the spread. Arbitrage profits help align prices across venues.
- Collateral swap: you have a loan open on Aave with ETH collateral, and you want to swap that collateral for wBTC without closing the position. A flash loan lets you refinance in one transaction.
- Self-liquidation: if your position is about to be liquidated by a bot charging a 5-15% penalty, you can flash loan the liquidation amount, close your own position, and keep the penalty for yourself.
- Debt refinancing: moving an outstanding loan from one lending protocol to another with a better rate, in one transaction.
- Liquidations: professional liquidator bots use flash loans to front the capital needed to liquidate an undercollateralized position and pocket the bonus.
Credit delegation is an adjacent Aave feature that lets a depositor delegate borrowing power to another address. It is distinct from flash loans but often combined with them in complex DeFi strategies. In all of these, the key insight is the same: flash loans democratize access to capital for anyone who can write Solidity.
Arbitrage, collateral swaps and other use cases
Arbitrage is the canonical example because the numbers work out cleanly. Imagine ETH is trading at $3,000 on Uniswap and $3,010 on SushiSwap. A searcher takes out a flash loan for $3 million USDC from Aave, buys 1,000 ETH on Uniswap for $3,000,000, sells those 1,000 ETH on SushiSwap for $3,010,000, repays Aave $3,000,000 plus the 0.05% premium ($1,500), and walks away with roughly $8,500 of profit in a single transaction. Gas fees eat a portion of that, but the math still works if the gap is big enough. That example used for arbitrage is why flash loans have become the default tool for closing price differences in different markets.
Collateral swapping gets the same benefit in a different direction. Say you opened a $100,000 loan using the borrower's collateral (ETH) on Aave, and you are now worried ETH will drop. Normally you would need to repay the loan, unlock your ETH, sell it for wBTC, redeposit, and reopen the position, all while taking slippage on each hop. A flash loan lets you do all of it in one atomic transaction: borrow the $100,000 needed to cover the loan using new funds, close the original loan, receive the ETH, swap it for wBTC, deposit wBTC as new collateral, reopen the loan, repay the flash. Your position never went unmanaged. That is the power of collateral swapping in a single atomic call.
The number of unique opportunities for arbitrage across different markets in DeFi is part of why flash loans kept growing even after the big exploits. Every new AMM, every new lending protocol, and every new chain adds another set of price gaps that a searcher with a flash loan can close.
Flash loan providers: Aave, Balancer, Uniswap
Four providers dominate the flash loan market in 2026. Each takes a slightly different approach to fees and integration complexity.
| Provider | Fee | Notable feature | Supported chains |
|---|---|---|---|
| Aave V3 | 0.05% of principal (governance-adjustable, was 0.09% in V2) | Largest flash loan venue, 30+ supported assets, $7.5B volume in 2025 | Ethereum, Polygon, Avalanche, Arbitrum, Optimism, Base, more |
| Balancer Vault | 0% (zero by design) | Single-vault architecture, cheapest venue for simple loans | Ethereum, Polygon, Arbitrum, Optimism, Gnosis |
| Uniswap V3 flash swaps | Pool swap-fee tier: 0.01%, 0.05%, 0.30%, or 1.00% | Deepest liquidity but more complex integration | Ethereum, Polygon, Arbitrum, Optimism, Base, others |
| dYdX (historical) | ~0 (principal + 2 wei) | Limited asset set (ETH, DAI, USDC), migrated to Cosmos appchain in v4 | Ethereum (v1-v3) |
| Equalizer | Variable, pool-dependent | Purpose-built flash loan marketplace | Ethereum |
Aave is the default choice for most developers. It has the deepest liquidity, the biggest asset menu, and a well-documented receiver interface. Balancer is the cheapest venue when you only need a single asset and do not mind the vault mechanics. Uniswap flash swaps are technically not flash loans (they are atomic token swaps with deferred payment), but they serve the same purpose for arbitrage and often have better liquidity for a specific pair. dYdX's flash loan era effectively ended in 2023-2024 when the protocol migrated to its own Cosmos-based appchain, so its flash loans are now a historical footnote rather than an active venue.
Flash loans vs traditional loans in finance
Comparing flash loans with traditional loans is almost unfair because they belong to different categories. Traditional loans require upfront collateral, a credit check, usually some form of KYC, and they persist across months or years with monthly repayments. Flash loans require none of that. The only "collateral" is atomicity itself, enforced by the EVM. The only "term" is the single transaction you are inside.
Here is the tradeoff most newcomers miss. Traditional loans are useful for anything that has to persist beyond a single block: buying a house, paying tuition, financing a business. Flash loans are useless for any of those things because the principal has to return to the pool before the transaction ends, and the loan is repaid inside the same block or it never existed. What flash loans are actually good at is executing a programmatic financial operation inside one block: an arbitrage, a liquidation, a collateral swap. Since flash loans can only exist inside a single transaction, they are a tool for specific DeFi mechanics, not a funding source for real-world spending. Think of them as a new type of loan mechanic native to DeFi smart contracts, not as a replacement for a mortgage.
The atomic nature is also why flash loan is not possible outside the EVM ecosystem right now. Solana, Move-based chains and non-atomic execution environments do not enforce the same guarantee. Flash loans live entirely in the world of collateralized lending pools that can safely pay out millions of dollars because they know the funds are guaranteed to return.
Flash loan attacks: biggest 2020-2025 exploits
Flash loans have a controversial reputation, and it comes almost entirely from their role in DeFi exploits. Halborn's Top 100 DeFi Hacks 2025 report estimates that flash loans were used in 83.3 percent of eligible DeFi exploits during 2024. That number looks terrifying until you realize something important: flash loans are not vulnerabilities in themselves. They are a force multiplier. Every major flash loan attack exploits a pre-existing bug (a manipulable oracle, a rounding error, a governance contract without a timelock) that flash loans let an attacker reach without needing to already own hundreds of millions of dollars.
| Date | Protocol | Loss | Root cause |
|---|---|---|---|
| Feb 2020 | bZx | ~$954,000 | First high-profile incident, manipulated Uniswap v1 as oracle |
| Oct 26, 2020 | Harvest Finance | $33.8M | $50M USDC flash loan from Uniswap manipulated Curve y-pool prices |
| Oct 27, 2021 | Cream Finance | $130M | yUSD price manipulation across 68 assets in a single transaction |
| Apr 17, 2022 | Beanstalk | $182M | Flash-loaned $1B+ to pass malicious governance proposal; no timelock |
| Oct 11, 2022 | Mango Markets | $116M (SEC) | Avraham Eisenberg inflated MNGO oracle to borrow against fake collateral |
| Feb 16, 2023 | Platypus Finance | $8.5M | $44M USDC flash loan from Aave hit faulty emergencyWithdraw solvency check |
| Mar 13, 2023 | Euler Finance | $197M | donateToReserves bug; attacker returned all funds weeks later |
| Jan 2, 2024 | Radiant Capital | $4.5M | Rounding issue in Compound/Aave fork on new Arbitrum USDC market |
| Apr 14, 2025 | KiloEx | $7.5M | Cross-chain price oracle manipulation; all funds returned in 4 days |
These are only the biggest cases. The pattern stays the same every time: a smart contract somewhere reads a price or a balance in a way that can be manipulated inside a single block, and a flash loan gives the attacker enough firepower to push that reading far off its fair value. Those attacks on DeFi protocols fund various types of attacks, from simple oracle manipulation to full governance takeovers. The total crypto theft across all vectors in 2024 was $1.49 billion per Chainalysis, and 2025 jumped to $3.4 billion, although much of that was the single Bybit exchange breach in February 2025 ($1.5 billion). DeFi-specific losses remained flatter as oracle hardening and invariant testing became standard.
How a price oracle turns into a flash loan attack
Every major flash loan exploit is, at its core, an oracle manipulation story. The mechanics are the same across most of them. A protocol needs to know the price of an asset in order to make a decision, often the collateral value of a borrower's position. The protocol reads that price from somewhere on-chain. If that somewhere is a single DEX pool that can be moved by a large trade, then a flash loan is exactly the tool needed to move it.
Here is the archetype, step by step. An attacker flash loans $100 million USDC from Aave. They dump all of it into a target DEX pool in exchange for token X, pushing X's price up 300 percent on that pool. They borrow as much as the victim protocol will lend them against their now-inflated X collateral. They return the pool to roughly the original price with the opposite trade. They repay the Aave flash loan. They keep the excess borrowed funds. Whole thing executes in one transaction. The victim protocol reads the inflated price only once, during the attacker's window, and the victim contract has no way to tell the difference.
This is what happened on bZx in February 2020, and it is what has happened in almost every oracle-related flash loan exploit since. The fix is straightforward in principle: do not rely on a price oracle that can be moved inside a single block. In practice, it took the industry several years and hundreds of millions of dollars in losses to actually ship that fix at scale.
Mitigating flash loan attacks at the protocol level
The playbook for defending against flash loan attacks has hardened materially since 2020. If you are building a DeFi protocol in 2026, these are table-stakes defenses, not novelties.
- TWAP oracles (time-weighted average prices) read the average price over the previous N blocks, typically 30 minutes. A single-transaction flash loan cannot move a 30-minute average meaningfully, so TWAPs neutralize spot-price manipulation. Uniswap V2 and V3 expose built-in TWAP cumulative accumulators.
- Chainlink Price Feeds aggregate off-chain VWAP data from many exchanges and update asynchronously. To manipulate a Chainlink feed an attacker would have to corrupt more than half of the feed's independent oracle nodes, not just move one DEX pool. This is the reason most modern lending protocols use Chainlink as their primary oracle.
- Re-entrancy guards prevent the flash-loaned contract from re-entering the victim during its callback. OpenZeppelin's `nonReentrant` modifier is the standard implementation.
- Governance timelocks delay any governance action by 24 to 48 hours between proposal passage and execution. A flash-loan-acquired voting majority evaporates long before it can be used. Beanstalk's $182 million loss in April 2022 would not have been possible with a basic timelock.
- Pause mechanisms and circuit breakers give DAO councils emergency keys to halt the protocol instantly. Radiant Capital used exactly this in January 2024 to stop the bleeding six seconds after its vulnerable USDC market deployed.
- Invariant and property-based testing with Foundry or Echidna catches edge-case bugs like the Euler Finance `donateToReserves` issue before mainnet. Post-Euler, this became standard practice for every audit-grade codebase.
The combination of these defenses is why the ratio of DeFi losses to DeFi TVL has fallen steadily since 2022 even as TVL climbed back. Flash loans did not get less powerful. Protocols got better at reading prices.
Flash loans, money laundering and blockchain tracking
Flash loans have also become a small but real concern for on-chain compliance teams. The argument is not that flash loans themselves launder money, since the principal has to return to the pool within the same transaction. The real worry is that they can be chained with mixers, cross-chain bridges and swap aggregators to fragment the trail of stolen funds in ways that make them harder to attribute. The Zunami Protocol attack of 2024 used a single flash-loan-driven manipulation to extract about $2.1 million, and portions of the proceeds moved through multiple protocols before landing in mixer addresses.
On the positive side, every flash loan is a fully public EVM transaction. Analytics firms like Chainalysis, TRM Labs and Elliptic can reconstruct the exact sequence of calls after the fact, including the flash-loan provider, the amounts borrowed, and every downstream contract interaction. The Euler Finance attacker ("Jacob") was publicly traced in near real time in March 2023 and eventually returned all the funds, in part because the on-chain trail was unambiguous. Flash loans do not make attackers anonymous. They just make the window between exploitation and clean settlement extremely short.
2024-2026 flash loan state and volume growth
Flash loans quietly crossed into maturity during 2024 and 2025. Aave's V3 flash loan volume reached roughly $7.5 billion in a single rolling three-month stretch in 2025 according to TradingView coverage, with the protocol leading DeFi lending overall at about $25 billion in outstanding loans of all types per The Block. Balancer kept its 0 percent flash loan fee through multiple governance votes, specifically to keep developer integrations coming. Uniswap V3 flash swaps remained the go-to when searchers needed a specific pair's depth rather than a general-purpose loan.
Exploits did not disappear, but they got smaller on average. Radiant Capital lost $4.5 million six seconds after deploying a flawed USDC market on Arbitrum on January 2, 2024. KiloEx lost $7.5 million on April 14, 2025 to a cross-chain oracle manipulation exploit, with all funds returned four days later in exchange for a $750,000 white-hat bounty. Both events were orders of magnitude smaller than the 2021-2023 era of $100M+ single-day losses, and both were caught and contained quickly.
The most important 2025 story was legal, not technical. A Manhattan jury convicted Avraham Eisenberg in April 2024 for the $116 million Mango Markets exploit, treating the flash-loan-driven oracle manipulation as wire fraud and commodities manipulation. Then on May 23, 2025, Judge Arun Subramanian vacated all of the criminal convictions on venue and element grounds. The ruling did not endorse Eisenberg's defense that the trade was "legal market manipulation," but it did reset the legal baseline for how flash loan exploits get prosecuted in the United States.
The bottom line on flash loans in 2026
Flash loans are one of DeFi's cleanest innovations and one of its most misunderstood. They are not inherently malicious. They are not a vulnerability. They are a primitive that gives anyone with a contract the same instant-liquidity access that hedge funds used to monopolize, and the vast majority of flash loan volume in 2026 is boring arbitrage and refinancing operations that help DeFi prices stay aligned. The attacks make the headlines, but the volume comes from searchers keeping markets efficient.
The flip side is that any protocol that reads a price, a balance, or a voting threshold in a way that can be manipulated inside one block is going to get tested by a flash loan eventually. The right response is not to ban flash loans (you cannot). It is to build protocols that remain correct even when an attacker briefly controls a billion dollars. TWAP oracles, Chainlink feeds, governance timelocks and invariant testing are no longer optional. They are the cost of operating on a chain where flash loans exist.
