myctrl.tools

SC04Flash Loan-Facilitated Attacks

>Control Description

Flash loan-facilitated attacks exploit uncollateralized, same-transaction borrowing to amplify underlying vulnerabilities into protocol-draining exploits. Flash loans are not inherently vulnerable — they are a legitimate DeFi primitive — but they grant attackers arbitrarily large, transient capital within a single transaction. The attack pattern involves: (1) borrowing large capital via flash loan (Aave, dYdX, Uniswap V3, or equivalent), (2) manipulating protocol state, prices, or accounting using borrowed funds, (3) extracting profit through liquidity drainage, under-collateralized loans, or governance skewing, and (4) repaying the flash loan in the same transaction while retaining profits. These attacks affect lending protocols, AMMs, yield vaults, governance systems, NFT and token valuation mechanisms, and cross-protocol composability scenarios. Flash loans act as a force multiplier, turning small bugs into catastrophic exploits.

>Prevention & Mitigation Strategies

  1. 1.Design economic and accounting logic assuming attackers have access to arbitrarily large transient capital.
  2. 2.Implement per-block or per-epoch limits on rebasing, rebalancing, or high-impact state transitions; use dynamic fees increasing with action magnitude/frequency.
  3. 3.Set maximum slippage, position sizes, and borrowing caps; limit state changes within single transactions.
  4. 4.Include flash-loan-style tests in QA and audits; use fuzzing to discover profitable multi-call sequences.
  5. 5.Address underlying issues at the root level — flash loans act as a force multiplier for business logic (SC02), oracle (SC03), and arithmetic (SC07) vulnerabilities.

>Attack Scenarios

#1Bunni (September 2025, $8.4M loss)

A rounding error in withdrawal functions was amplified by flash loans. Attackers flash-borrowed 3M USDT, manipulated spot prices (reducing USDC active balance to 28 wei), then executed 44 chained withdrawals exploiting rounding — decreasing USDC balance by 85.7% while only burning 84.4% of liquidity.

#2zkLend (February 2025, $9.5M loss)

A rounding error in the mint() function (integer division rounding down) allowed inflation of the lending_accumulator through repeated deposits/withdrawals. Flash loans provided the capital scale that turned small per-iteration precision gains into a ~$9.5M drain.

>References

Ask AI

Configure your API key to use AI features.