Flash Loan Attacks

Flash loan attacks exploit the ability to borrow large sums of funds without collateral within a single transaction. These attacks leverage the atomic nature of blockchain transactions, where all operations must succeed or fail together. By combining flash loans with other vulnerabilities like oracle manipulation, reentrancy, or faulty logic, attackers can manipulate contract behavior and drain funds.

Remediation

Avoid reliance on flash loans in critical logic: Restrict sensitive functions to operate only within validated and predictable conditions.
Robust Oracle Design: Use time-weighted average prices (TWAP) or decentralized oracles resistant to manipulation.
Comprehensive Testing: Include tests simulating flash loan scenarios and edge cases.
Access Control: Limit access to critical functions to prevent unauthorized or malicious transactions.

Metadata

Severity: high
Slug: flash-loan-attacks

CWEs

345: Insufficient Verification of Data Authenticity
20: Improper Input Validation

OWASP

SC07:2025: Flash Loan Attacks

Available Labs

Open Move labs in SecDim Play for this vulnerability.

easy

Drain.move

Move Easy

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.