Most people assume borrowing money requires a bank, a credit score, and weeks of paperwork. In DeFi, none of that applies. Flash loans let anyone borrow millions of dollars in seconds, with no collateral and no identity check. The catch is that the money has to come back before the transaction ends.
This is not a loophole or a workaround. It is a financial instrument that only exists because of how blockchain transactions are built. Flash loans have been used to make profits, refinance debt, and protect positions. They have also been used to drain protocols of hundreds of millions of dollars. Both outcomes come from the same underlying mechanic.
What is a flash loan?
A flash loan is an uncollateralized loan in decentralized finance (DeFi) that lets a user borrow any amount of assets with no upfront collateral, as long as the full amount is repaid within the same blockchain transaction.
Traditional lending runs on trust and collateral. A lender needs a guarantee they will be paid back, so they take your assets, check your history, and charge interest over time. Flash loans skip all of that because the repayment is enforced by code, not by trust. If the money is not returned before the transaction closes, the entire thing is reversed. Nothing moves. The loan never happened.
Aave pioneered flash loans and remains the most widely used provider. Their flash loan fee sits at 0.09%, which is low by any standard in financial markets.
How do flash loans work?
Flash loans run on smart contracts. A smart contract is a self-executing program on the blockchain that follows rules written in code, with no human required to approve or process anything.
The mechanism that makes flash loans possible is called atomicity. Every blockchain transaction is atomic, meaning it either completes in full or reverts entirely. There is no middle ground. A transaction does not partially succeed.
A flash loan smart contract uses this to its advantage. It says: borrow this money, do what you need to do, and return it before this transaction ends. If repayment does not happen, every step inside the transaction is wiped. The lender has no exposure at all. If the money does not come back, the transaction did not happen.
Here is what happens step by step:
- Borrow: The user requests funds from a DeFi platform like Aave, Uniswap, or Balancer. No collateral is needed.
- Execute: Within the same transaction, the user runs their strategy: flash loan arbitrage, a collateral swap, a liquidation, or something else.
- Repay: The loan amount plus the fee is returned to the protocol before the transaction closes.
- Settle: If repayment goes through, the transaction confirms on-chain. If it fails, everything reverts instantly.
The whole sequence runs within a single Ethereum block, which takes roughly 12 seconds.
Flash loan arbitrage
Flash loan arbitrage is the most common use of this tool. The same asset often trades at slightly different prices on different exchanges at the same time. That gap is where the opportunity sits.
Say ETH is sitting at $3,000 on Uniswap and $3,050 on a second exchange. A trader borrows $3 million, buys on the cheaper side, sells on the expensive side, pays back the loan, and walks away with the spread. One transaction, start to finish.
Beyond the profit, flash loan arbitrage does something useful for the market. It closes price gaps between exchanges, which makes DeFi pricing more accurate for everyone. The trader earns a fee for providing that service.
Liquidations and debt refinancing
Flash loans are also used for liquidations. In DeFi lending, a borrower must keep their collateral above a set ratio. When it drops below that threshold, the protocol allows third parties to liquidate the position and collect a reward. Flash loans give those liquidators instant access to large capital without requiring them to hold funds in advance.
Debt refinancing with flash loans solves a different problem. If a user wants to change the collateral backing their loan from one asset to another, doing it manually means closing the loan, waiting, and reopening it, all while exposed to price movement in between. A flash loan collapses all of that into one transaction with no gap.
Other uses include:
- Collateral swaps: Switching the asset backing a loan without manually unwinding the position
- Self-liquidation: Closing your own loan before the protocol does it and charges a penalty
- Leveraged positions: Building or closing multi-step positions in a single transaction
Flash loan attacks
Flash loans have a well-documented dark side. A flash loan attack does not mean flash loans are broken. It means a protocol had a vulnerability, and flash loans provided the capital to exploit it at scale.
The most common attack pattern works like this:
- An attacker borrows a large sum through a flash loan
- They use that capital to push the price of a token sharply upward on a low-liquidity exchange
- A second protocol reads that manipulated price as accurate and releases funds based on it
- The attacker repays the flash loan and keeps the difference
The February 2020 bZx attacks are the most documented early examples. In two separate incidents days apart, an attacker used flash loans to manipulate prices across protocols and extract funds, all within single transactions. Neither attack required the attacker to hold any starting capital beyond gas fees. The vulnerabilities were in bZx’s price logic, not in the flash loans themselves.
The root problem in every flash loan attack is not the loan itself. It is a weak price oracle, a logic flaw, or a missing check in the protocol’s code. Flash loans make exploiting those weaknesses cheaper and faster, but they do not create them.
How DeFi protocols defend against flash loan attacks
Security across DeFi has improved considerably since the early exploits. Most flash loan attacks in recent years have targeted newer or smaller protocols, not established platforms. Aave and Compound have not suffered major exploits in years.
The main defenses now standard across serious protocols:
- TWAP oracles: Time-Weighted Average Prices sample an asset’s price over a window of 10 to 30 minutes rather than at one single moment. An attacker can spike a price for 12 seconds, not for half an hour.
- Multi-source price feeds: Chainlink and similar services pull prices from dozens of independent sources at once. Manipulating one exchange pool does not move the aggregated feed.
- Circuit breakers: Protocols can be set to pause automatically if price movements within a single block cross an abnormal threshold.
- Mandatory audits: Any serious protocol launching today treats a full smart contract audit as a non-negotiable step before going live.
Flash loans in DeFi today
Flash loans now operate across Ethereum, Arbitrum, Optimism, Polygon, Avalanche, and BNB Chain. Platforms like DeFi Saver have built no-code interfaces that let users structure flash loan transactions through templates, without writing any code.
The growth of flash loans reflects something broader about what DeFi can do that traditional finance cannot. A bank does not lend $100 million with no paperwork in 12 seconds. The infrastructure does not exist for it. On a blockchain, the code handles everything the bank normally would. That is why flash loans keep growing as a standard part of on-chain finance, not a curiosity.
