If you have been following cryptocurrency news, you have likely seen headlines about millions of dollars being stolen from DeFi protocols through something called a flash loan attack. The recent $7.4 million exploit against Hundred Finance on April 15, 2023, is just the latest example of this increasingly common attack vector. But what exactly are flash loans, and how do attackers use them to steal millions in a single transaction? This guide breaks it down in plain language.
The Basics
A flash loan is a special type of loan that exists only in decentralized finance. It allows anyone to borrow a very large amount of cryptocurrency — sometimes millions of dollars worth — with zero collateral, as long as the borrowed amount is returned within the same blockchain transaction. If the borrower cannot return the funds within that single transaction, the entire loan is automatically canceled as if it never happened.
Think of it like borrowing money from a bank, but the bank takes the money back instantly if you cannot prove you can repay it within the same moment. No forms, no credit check, no waiting period. The loan either works and is repaid, or it never happens at all. This is possible because of how blockchain transactions work — they are atomic, meaning they either complete entirely or not at all.
Flash loans were originally designed as a powerful tool for legitimate purposes. Traders use them for arbitrage — buying an asset on one exchange where it is cheaper and selling it on another where it is more expensive, all in one transaction. Developers use them for collateral swaps, where you change the asset backing your loan without needing extra cash on hand. These are all valid and valuable use cases.
Why It Matters
The problem is that the same mechanism that makes flash loans useful also makes them a powerful weapon in the hands of attackers. Because flash loans give anyone instant access to enormous amounts of capital without any upfront investment, they lower the barrier to executing complex exploits that would previously have required millions of dollars in capital.
In the Hundred Finance attack, the exploiter borrowed 500 Wrapped Bitcoin — worth roughly $15 million at the time — through a flash loan from Aave. They used this massive capital to manipulate the price of tokens on Hundred Finance’s platform, exploit a rounding error in the smart contract, and walk away with over $7 million in stolen assets. All of this happened in a matter of seconds, within a single blockchain transaction.
This matters for every DeFi user because it means that even smaller protocols with seemingly robust code can be targeted. The attacker did not need to invest their own money or take any financial risk — the flash loan provided all the firepower needed.
Getting Started Guide
Understanding how flash loan attacks work is the first step to protecting yourself. Here is what you need to know:
Step 1: Understand the attack pattern. Most flash loan attacks follow a similar pattern. The attacker borrows a large amount through a flash loan, uses that capital to manipulate prices or exploit a vulnerability in a smart contract, extracts value from the exploited protocol, and then repays the flash loan from the stolen funds — all in one transaction.
Step 2: Recognize the warning signs. Protocols that are most vulnerable tend to share common characteristics: low liquidity pools, complex token exchange mechanisms, unaudited smart contracts, or code that has been forked from other protocols without proper modifications for the specific deployment context.
Step 3: Check protocol security. Before depositing funds into any DeFi protocol, check whether it has been audited by reputable security firms. Look for audit reports published on the protocol’s website or GitHub repository. Protocols like Aave, Compound, and MakerDAO have undergone multiple audits and have bug bounty programs.
Step 4: Diversify your exposure. Do not keep all your DeFi deposits in a single protocol, especially smaller or newer ones. Spreading your funds across multiple established protocols reduces the impact of any single exploit.
Common Pitfalls
Many newcomers to DeFi make the mistake of chasing high yields without understanding the underlying risks. Protocols offering unusually high returns often do so because they are taking on greater risk — whether through unaudited code, experimental mechanisms, or insufficient liquidity. If a yield seems too good to be true, it probably involves elevated risk.
Another common mistake is assuming that because a protocol runs on a well-known blockchain like Ethereum or a layer-2 network like Optimism, it is inherently safe. The Hundred Finance exploit happened on Optimism, a reputable network. The vulnerability was in the protocol’s specific smart contracts, not the underlying blockchain.
Users also frequently ignore the total value locked in a protocol’s pools. Very low liquidity pools, like the empty hWBTC pool exploited in the Hundred Finance attack, are significantly more vulnerable to manipulation. Before depositing, check how much total value is locked in the specific pool you plan to use.
Next Steps
Now that you understand the basics of flash loan attacks, consider deepening your knowledge of DeFi security. Learn to read smart contract audit reports, even at a high level. Follow security researchers and firms like Halborn, Trail of Bits, and OpenZeppelin on social media for real-time alerts about newly discovered vulnerabilities.
Consider using hardware wallets for your primary cryptocurrency holdings and limiting the amount you keep in hot wallets connected to DeFi protocols. Set up transaction notifications so you are immediately alerted to any unusual activity in your wallets.
Most importantly, approach DeFi with healthy skepticism. The space offers remarkable opportunities for earning yield and accessing financial services, but it also carries real risks. Understanding those risks is not optional — it is essential for anyone participating in decentralized finance.
Disclaimer: This article is for educational purposes only and does not constitute financial advice. DeFi involves significant risk. Always conduct thorough research before depositing funds into any protocol.
finally a flash loan explainer that doesnt assume I have a CS degree. the bank analogy actually makes sense
the part about zero collateral is what blows peoples minds. you can borrow millions with nothing down, as long as it all happens in one tx
^ and that single tx constraint is the only thing protecting DeFi from even more chaos. remove that and its game over
the single tx constraint is elegant but its also why flash loan attacks are so terrifying. everything happens in one block, zero time to react
wish this guide mentioned that flash loans themselves arent evil. theyre a tool. the bug is in the protocol being exploited, not the loan
^ exactly. flash loans are neutral tools. blaming them for exploits is like blaming tcp/ip for phishing. the vulnerability was in the protocol code
the $7.4M Hundred Finance exploit used a flash loan to manipulate the exchange rate in a single tx. the protocol had no reentrancy guard on its lending pool