A flash loan is a DeFi primitive: borrow any amount of capital with no collateral, on the condition that the loan is repaid (with a small fee) in the same atomic transaction. If the transaction does not repay, the entire transaction reverts and no funds change hands.
Flash loans are not, by themselves, a vulnerability. They're a feature of permissionless capital markets. But they dramatically lower the bar for exploiting other vulnerabilities: an attacker who finds a price-manipulation flaw doesn't need to own the capital to execute it. They borrow it, exploit, and repay, all in one block.
Almost every major DeFi exploit since 2020 used flash loans. The pattern is: borrow → manipulate an oracle or pool → drain a target protocol → repay → keep the difference.
Defenses are at the target protocol level, not at the lending pool level:
- Use TWAP oracles instead of spot prices for any value-sensitive logic.
- Cap single-block actions (no fully draining a position in one tx).
- Test invariants under flash-loan conditions, not just under normal usage.