Research note

Flash Loans Don’t Hack Protocols. Broken Assumptions Do.

Flash loans get blamed for exploits they did not create. They simply rent enormous capital for one transaction and force your weakest assumption to fail.

Published
2026-04-22
Author
ChainShield
← Back to Blog

Flash Loans Don’t Hack Protocols. Broken Assumptions Do.

Flash loans get blamed for exploits they did not create. They simply rent enormous capital for one transaction and force your weakest assumption to fail.

That distinction matters because too many teams still talk about flash loans as if they were a vulnerability class on their own. They are not. They are a financing primitive. The vulnerability is the protocol logic that assumes capital is scarce, price moves are slow, governance power is sticky, or state transitions cannot be stressed at full size in a single atomic call chain.

For founders and investors, this is not a developer-only nuance. It is the difference between thinking your protocol is protected by market size and understanding that any latent bug can be weaponized at institutional scale on day one. For CTOs and Solidity engineers, the implication is harsher: if a rule in your system is only safe because an attacker probably cannot marshal enough capital fast enough, it is not a rule. It is wishful thinking.

Establish the problem with technical depth

The cleanest example is Beanstalk. On April 17, 2022, Beanstalk disclosed that an attacker used a flash loan to exploit its on-chain governance mechanism and steal roughly $77 million in non-Bean assets. That was not a case of flash loans "breaking" a protocol. It was a case of governance treating temporary capital as legitimate political power and allowing that power to authorize a malicious outcome.

The lesson there is brutal. Governance is not secure because voting is on-chain. Governance is secure only if voting power, proposal timing, execution rights, and treasury control are structured so temporary balance spikes cannot immediately become permanent control.

Euler shows the same principle from a different angle. In March 2023, Euler was exploited for roughly $197 million. Euler’s own retrospective says the cause was a single missing line of code in an obscure path involving donateToReserves. The attacker used flash liquidity as part of the exploit path, but the root failure was business logic. The protocol exposed a solvency and liquidation path that could be pushed into an invalid state and monetized. The flash loan made the attack large and efficient. It did not create the flawed accounting.

That is why the lazy headline "flash loan attack" is often analytically useless. It tells you how the attacker financed the transaction. It does not tell you why the transaction was profitable.

And that gap matters commercially. Founders tend to hear "flash loan attack" and imagine a specialized DeFi superweapon. Engineers hear it and sometimes overfit to one exploit pattern, usually oracle manipulation. Both responses miss the real issue. A flash loan is just atomic scale. If your protocol can be broken by atomic scale, your security model is already wrong.

The mechanism, the mistake, the misunderstanding

Aave’s documentation describes flash loans plainly: a borrower can access liquidity without upfront collateral as long as the borrowed amount plus fee is returned before the end of the transaction. That single property changes the threat model more than many teams admit.

An attacker can borrow size, route it across multiple venues, manipulate a dependency, trigger your protocol, extract value, repay the loan, and leave the transaction with profit. If any step fails, the whole transaction reverts. That means the attacker can search for profitable exploit paths without carrying long-term market exposure. They only need one coherent atomic sequence.

This is why flash loans are such good exploit amplifiers. They provide three things at once: scale, composability, and clean failure semantics.

The most common misunderstanding is that teams try to defend against the loan instead of the assumption. Consider the pattern below:

function borrow(uint256 amount) external {
    uint256 price = amm.getSpotPrice(collateralToken);
    uint256 collateralValue = collateral[msg.sender] * price;

    require(collateralValue >= debt[msg.sender] + amount, "insolvent");
    debt[msg.sender] += amount;
    asset.transfer(msg.sender, amount);
}

The bug is not that an attacker can obtain a flash loan. The bug is that the protocol trusts a manipulable spot price in the same transaction in which value is released. The attacker borrows temporary capital, pushes the AMM price, passes the solvency check, withdraws value, unwinds the manipulation, repays the loan, and keeps the spread. Remove the flash loan and the design is still wrong. The attack just becomes less convenient.

The governance version is even less forgiving. If voting power is measured from current balances instead of a historical snapshot, and if proposal approval and execution can happen too quickly, then borrowed capital becomes borrowed control. Beanstalk demonstrated exactly that. Temporary ownership was enough to make a permanent decision because the protocol confused balance at the moment of voting with legitimate governance authority.

Euler demonstrates the accounting version. The postmortem is explicit that the cause was an obscure code path and a missing check, not some magical capability unique to flash liquidity. This is the deeper misunderstanding across DeFi. Teams often classify exploits by the visible tool used in the attack transaction rather than by the invariant that failed. Attackers do the opposite. They start with the invariant, then choose the cheapest capital source to break it.

So the right question is not, "Can our protocol stop flash loans?" No serious protocol can stop external capital from existing. The right question is, "What assumption in our system becomes false if an attacker can command maximum size for one block?"

If that question feels uncomfortable, good. It is the one that actually matters.

What good looks like

Good flash-loan defense starts by abandoning the fantasy that capital constraints are a control. Design as if the attacker can borrow the deepest available liquidity in your market for one transaction. Because in practice, they often can.

First, price-sensitive logic should not trust same-transaction spot prices from venues an attacker can move. The precise oracle stack will vary by protocol, but the principle does not: execution-critical checks need delayed, averaged, bounded, or independently sourced pricing. If your solvency, collateral, mint, or liquidation path depends on a price that can be distorted inside the execution path itself, you are giving the attacker the answer key.

Second, governance needs time separation and historical state. OpenZeppelin’s governance guidance is blunt about two controls that matter here: use historical voting power and add a timelock before execution. That is how you prevent temporary capital from becoming immediate control. Propose, snapshot, vote, queue, wait, then execute. Compress those stages and you are not running governance. You are running a treasury with an expensive front door and no hallway.

Third, write invariants the way attackers reason. Foundry’s invariant testing guidance is valuable here because it forces the team to stop testing only human-intended flows. Instead of asking whether deposit() works, ask whether any randomized sequence of deposits, borrows, liquidations, reserve donations, repayments, and redemptions can violate total asset coverage, bad-debt constraints, or share-accounting correctness. That is much closer to how real exploits emerge.

Fourth, identify every path where temporary state is allowed to look healthier than final state. That includes reserve accounting, liquidation discounts, redemption math, fee accrual, and governance eligibility. A large share of major DeFi exploits come from the same structural mistake: the protocol temporarily accepts a false view of the world, and the attacker gets paid before truth is restored.

Finally, keep blunt operational controls for high-blast-radius functions. Caps, pausability, isolated markets, rate limits, delayed upgrades, and segmented privileges are not glamorous. They are what keep a logic bug from turning into a company-defining incident.

ChainShield's angle

ChainShield’s view is that "flash loan resistance" is the wrong abstraction. The real job is assumption-hardening.

A serious security review should model a world where attackers have atomic access to scale, clean execution rollback, and deep composability across lending markets, AMMs, bridges, and governance systems. Once you model that world honestly, the review focus changes. You stop obsessing over whether a transaction includes a flash loan and start asking whether your protocol can survive adversarial pricing, temporary voting power, and state transitions that are only safe under polite market conditions.

That shift matters to both sides of the cap table. Founders should care because the market does not distinguish between "oracle manipulation," "governance exploit," and "flash loan attack" once treasury assets are gone. Engineers should care because exploit prevention lives in system design, not in post hoc labeling.

The ChainShield standard is simple: assume the attacker gets perfect financing for one block, then ask what still holds. If the answer is "not much," the protocol is not under-secured. It is under-specified.

Flash loans are not black magic. They are a brutally honest test harness for DeFi design. Protocols that survive them do not block the tool. They remove the assumption that made the tool dangerous in the first place.

Need this level of scrutiny on your protocol?

ChainShield Discovery Runs are designed to identify high-risk issues quickly, validate what matters, and give engineering teams a faster path to remediation.

Request Security Quote