Understanding Flash Loan Attack Vectors: An Advanced Technical Walkthrough of the Citadel Finance Exploit

On January 27, 2024, Citadel Finance on Arbitrum lost 43 ETH (approximately $93,000) to a flash loan attack exploiting price manipulation in its redemption contract. For developers and advanced users seeking to understand — and defend against — this class of vulnerability, this technical walkthrough dissects the exact attack vector and examines the code-level failures that enabled the exploit.

The Objective

This guide aims to provide a comprehensive understanding of how flash loan price manipulation attacks work in practice, using the Citadel Finance exploit as a real-world case study. By the end, you will be able to identify vulnerable code patterns in DeFi protocols, understand the economics of flash loan attacks, and implement defensive measures in your own smart contract development.

Prerequisites

This walkthrough assumes familiarity with Solidity smart contract development, an understanding of Automated Market Maker (AMM) mechanics, and basic knowledge of how flash loans operate on Ethereum and EVM-compatible chains. You should be comfortable reading Solidity code and understanding function calls, token approvals, and DEX routing mechanisms. Familiarity with Arbitrum and the Camelot DEX will be helpful but is not required.

Step-by-Step Walkthrough

Step 1: Understanding the vulnerable contract. The CITRedeem contract on Arbitrum handles token redemptions for Citadel Finance. The critical vulnerability lies in the variable-rate redemption path. When a user calls the redeem function with rate parameter set to 0 (variable rate), the contract uses the Camelot Router’s getAmountsOut function to determine the exchange rate. The routing path goes through three hops: CIT to WETH to USDC. This means the redemption value depends entirely on the current spot price in the Camelot liquidity pools — a price that can be manipulated.

Step 2: The flash loan acquisition. The attacker borrowed approximately 4,500 WETH through a flash loan from a lending protocol. Flash loans allow borrowing any amount of capital without collateral, provided the loan is repaid within the same transaction. This single-transaction constraint is what makes flash loans powerful for arbitrage and, unfortunately, for exploits. The attacker now had a massive capital advantage to distort market prices.

Step 3: Pool price manipulation. The attacker deposited the 4,500 WETH into the Camelot WETH/USDC liquidity pool. In an AMM, the price is determined by the ratio of tokens in the pool. By adding a massive amount of WETH relative to USDC, the attacker skewed the pool’s internal price ratio, making WETH appear artificially cheap relative to USDC. This is the core mechanism of any AMM-based price manipulation attack.

Step 4: Exploiting the distorted price. With the pool price manipulated, the attacker called redeem on the CITRedeem contract. The contract queried the now-distorted Camelot Router for the exchange rate, which returned an inflated redemption value. The attacker burned only 30.51 CIT tokens but received 21.326 WETH from the treasury — a vastly disproportionate exchange enabled by the manipulated oracle.

Step 5: Loan repayment and profit extraction. The attacker withdrew their 4,500 WETH from the Camelot pool, restoring the price to its natural level. They then repaid the flash loan from the same transaction. The net profit was the 21.326 WETH extracted from Citadel’s treasury, worth approximately $48,000 at the ETH price of roughly $2,267 at the time of the attack.

Troubleshooting

Identifying vulnerable patterns in your own code: Any contract that uses spot prices from AMM pools for financial calculations is vulnerable. Search your codebase for calls to getAmountsOut, getAmountIn, or direct reserve-based price calculations. Replace these with time-weighted average prices (TWAP) from Uniswap V2/V3 or use Chainlink price feeds.

Testing for flash loan vulnerability: Use Foundry or Hardhat to write tests that simulate flash loan attacks against your protocol. Create a test that borrows a large amount of capital within a single transaction, manipulates the pool price, and then interacts with your contract. If the attacker can extract more value than they should, your contract is vulnerable. Automated tools like Slither can also detect some price manipulation patterns.

Implementing circuit breakers: Add checks that compare the current spot price against a time-weighted average. If the deviation exceeds a reasonable threshold — typically 5-10% — the transaction should revert. This simple measure would have prevented the Citadel Finance exploit entirely, as the price manipulation from a 4,500 WETH deposit would have exceeded any reasonable deviation threshold.

Mastering the Skill

Flash loan attack vectors represent one of the most active areas of DeFi security research. To deepen your expertise, study historical exploits on Rekt News, which maintains a comprehensive database of DeFi hacks sorted by severity. Analyze the attack transactions on block explorers — the Citadel Finance attacker transaction on Arbiscan (0xf52a681…) provides a complete blueprint of the attack for educational purposes. Practice writing defensive Solidity code that implements TWAP oracles, rate limits, and emergency pause mechanisms. The most effective security measure is always a thorough audit by experienced smart contract security firms before deploying any DeFi protocol to mainnet.

Disclaimer: This article is for educational purposes only. The technical analysis is provided to help developers build more secure smart contracts. Always conduct professional security audits before deploying financial smart contracts.