Crypto Research

How Flash Loans Work

Flash loans are uncollateralized DeFi loans that must be borrowed and repaid within a single transaction. The mechanism, legitimate use cases, exploit context, and constraints explained.
Lewis Jackson
CEO and Founder

Flash loans are one of the stranger inventions in DeFi — a loan with no collateral, no credit check, and no counterparty risk. The catch is that the loan must be borrowed and repaid within a single blockchain transaction. Not the same block. The same transaction.

This sounds like a loophole, but it's actually a precise application of how blockchains handle atomicity. Understanding flash loans means understanding why blockchain transactions are all-or-nothing — and what happens when you build financial instruments around that property.

The Core Mechanism: Atomicity as Collateral

A standard loan requires collateral because there's a time gap between borrowing and repayment. During that window, the borrower could default, disappear, or the collateral could lose value. Flash loans eliminate that time gap entirely.

Here's how the mechanics work. A flash loan transaction proceeds in three steps within a single atomic execution:

  1. The protocol sends the borrower the loan amount
  2. The borrower executes whatever logic they've programmed — an arbitrage trade, a collateral swap, a self-liquidation
  3. The borrower repays the principal plus a fee

If step three doesn't happen — if the repayment is insufficient, or the transaction logic fails for any reason — the EVM rolls back the entire transaction as if it never occurred. The protocol never actually loses funds because the loan never "settles" until the repayment confirms.

This is the collateral: not ETH or USDC, but the atomicity guarantee of the transaction itself. If you can't repay, the blockchain treats it as if you never borrowed.

Aave introduced flash loans in January 2020, charging 0.09% (9 basis points) per loan. Uniswap v2 introduced a similar mechanic — flash swaps — the same year, allowing you to receive tokens from a liquidity pool mid-transaction and pay for them (or return them) before execution completes. dYdX offered a version with no fee, tied to their margin trading infrastructure. The underlying mechanism is consistent across implementations: atomicity enforces repayment before state changes commit.

Legitimate Use Cases

The practical applications of flash loans fall into three categories that come up repeatedly.

Arbitrage is the most frequently discussed. If ETH is priced at $2,000 on one DEX and $2,015 on another, an arbitrageur can flash-borrow a large position, buy on the cheaper venue, sell on the more expensive one, repay the loan, and pocket the spread — all in a single transaction. Without flash loans, this would require substantial upfront capital. With them, it requires gas fees and the arbitrage contract.

Collateral swaps are more useful for active DeFi participants. Say you're borrowing USDC on Aave, with WBTC as your collateral, and you want to replace that WBTC with ETH. The normal path: repay the USDC debt, withdraw WBTC, sell for ETH, deposit ETH, re-borrow USDC. That requires you to have the USDC on hand to repay. With a flash loan: borrow USDC, repay the existing debt, withdraw WBTC, sell for ETH, deposit ETH as new collateral, re-borrow USDC, repay the flash loan — all in one transaction, no external capital needed.

Self-liquidation is the third case. A borrower whose position is approaching the liquidation threshold can use a flash loan to repay their own debt, reclaim their collateral, and exit on their own terms — avoiding the liquidation penalty that a third-party liquidator would take.

Flash Loans and Exploits: Getting the Framing Right

This is where the discussion tends to go sideways. Flash loans were used in several notable DeFi exploits — the bZx attacks in February 2020, the Harvest Finance exploit in October 2020, and a string of others. The common framing — "flash loan attack" — is slightly misleading.

Flash loans don't have vulnerabilities. They work exactly as designed. What happened in these cases is that attackers used flash loans to obtain large temporary capital positions — positions large enough to manipulate on-chain prices or create liquidity imbalances — and then exploit weaknesses in other protocols that depended on those prices.

In the bZx case, the attacker didn't exploit Aave. They used a flash loan to borrow a large ETH position, used part of it to manipulate the price of WBTC on a thin DEX (which bZx used as its price oracle), took a position that was profitable given the manipulated price, and repaid the flash loan. bZx's vulnerability was its reliance on a single, manipulable oracle. The flash loan was just a cheap way to obtain enough capital to trigger that manipulation.

This reframing matters for protocol evaluation. The relevant question isn't "does this protocol offer flash loans?" It's "does this protocol rely on a price oracle that could be manipulated within a single block?" Flash loans make large-position attacks accessible to attackers without capital. That changes the threat model for any protocol using naive oracle designs — not the threat model for flash loans themselves.

Where the Constraints Live

Several binding constraints shape what flash loans can actually do.

Gas limits are the first. Complex flash loan operations — multiple protocol interactions, several token swaps, cross-protocol position management — can become expensive or run into the block's gas ceiling. This constrains how many steps can be chained together in a single execution. As Ethereum's gas limits have increased post-Merge and on L2s, this constraint has loosened somewhat.

Smart contract requirement is the second. Flash loans aren't executable by hand — you write a contract that specifies what happens with the borrowed funds, including the repayment logic. This filters out most users without developer access or contract deployment ability. Tooling has improved, but the technical barrier is real.

Liquidity depth is the third. A flash loan for an illiquid token may simply not be available at the scale needed for an arbitrage to be profitable. Flash loan availability maps to the lending protocol's existing pool depth — which for most assets outside USDC, USDT, WBTC, and ETH is relatively shallow.

What's Changing

Flash loan availability has expanded significantly since 2020. Aave V3 (deployed 2022–2023) brought flash loans to Polygon, Arbitrum, Optimism, and Avalanche. Uniswap V3 flash swaps refined single-token borrowing in 2021. The mechanic is now routine infrastructure across the major DeFi networks.

The more important structural development is on the oracle side. Chainlink price feeds and TWAP (time-weighted average price) oracles are now standard for lending protocols, precisely because they're resistant to within-block manipulation. A flash loan can still provide large temporary capital, but the oracle price an attacker might want to manipulate may not move within a single transaction. This doesn't eliminate flash loan-enabled exploits — any protocol with an exploitable price dependency remains at risk — but it substantially raises the bar.

MEV infrastructure has made flash loans continuous background activity. Liquidation bots, arbitrage bots, and sandwich bots use flash loans in routine operations, visible in Aave's flash loan fee revenue data on-chain.

What Would Confirm or Invalidate

Confirmation: Sustained growth in flash loan volume (Aave fee revenue, on-chain data). Continued adoption of TWAP and multi-source oracles making within-block manipulation structurally harder. Cross-chain flash loan infrastructure becoming available and demonstrating the mechanic's extensibility.

Invalidation: A vulnerability discovered in the flash loan contracts themselves — requiring a reentrancy flaw or logic error in the core atomicity mechanism, which has survived scrutiny since 2020. Or a gas structure change that makes multi-step flash loan operations impractical at the margins where arbitrage is currently profitable.

Timing Perspective

Now: Flash loans are active and used daily on Aave, Uniswap, and other major protocols. Any protocol with on-chain price exposure should already be treating same-block manipulation as a live risk.

Next: Cross-chain flash loans remain an open engineering problem as of early 2026. Atomic cross-chain execution isn't solved at the infrastructure layer, which means flash loan mechanics are still single-chain. If that changes, the attack surface analysis changes with it.

Later: If undercollateralized institutional lending scales significantly, it would shift the DeFi lending landscape in ways that make the atomicity-as-collateral mechanic less central. That's a longer-horizon development.

Boundary Statement

This post covers the mechanism, use cases, and constraints of flash loans. It doesn't constitute guidance on executing flash loan transactions or auditing smart contracts for flash loan vulnerabilities. Whether flash loans represent relevant infrastructure for any specific protocol or use case depends on factors outside this scope.

The tracked version of oracle risk and protocol-level exposure lives elsewhere.

Related Posts

See All
Crypto Research
New XRP-Focused Research Defining the “Velocity Threshold” for Global Settlement and Liquidity
A lot of people looking at my recent research have asked the same question: “Surely Ripple already understands all of this. So what does that mean for XRP?” That question is completely valid — and it turns out it’s the right question to ask. This research breaks down why XRP is unlikely to be the internal settlement asset of CBDC shared ledgers or unified bank platforms, and why that doesn’t mean XRP is irrelevant. Instead, it explains where XRP realistically fits in the system banks are actually building: at the seams, where different rulebooks, platforms, and networks still need to connect. Using liquidity math, system design, and real-world settlement mechanics, this piece explains: why most value settles inside venues, not through bridges why XRP’s role is narrower but more precise than most narratives suggest how velocity (refresh interval) determines whether XRP creates scarcity or just throughput and why Ripple’s strategy makes more sense once you stop assuming XRP must be “the core of everything” This isn’t a bullish or bearish take — it’s a structural one. If you want to understand XRP beyond hype and price targets, this is the question you need to grapple with.
Read Now
Crypto Research
The Jackson Liquidity Framework - Announcement
Lewis Jackson Ventures announces the release of the Jackson Liquidity Framework — the first quantitative, regulator-aligned model for liquidity sizing in AMM-based settlement systems, CBDC corridors, and tokenised financial infrastructures. Developed using advanced stochastic simulations and grounded in Basel III and PFMI principles, the framework provides a missing methodology for determining how much liquidity prefunded AMM pools actually require under real-world flow conditions.
Read Now
Crypto Research
Banks, Stablecoins, and Tokenized Assets
In Episode 011 of The Macro, crypto analyst Lewis Jackson unpacks a pivotal week in global finance — one marked by record growth in tokenized assets, expanding stablecoin adoption across emerging markets, and major institutions deepening their blockchain commitments. This research brief summarises Jackson’s key findings, from tokenized deposits to institutional RWA chains and AI-driven compliance, and explains how these developments signal a maturing, multi-rail settlement architecture spanning Ethereum, XRPL, stablecoin networks, and new interoperability layers.Taken together, this episode marks a structural shift toward programmable finance, instant settlement, and tokenized real-world assets at global scale.
Read Now

Related Posts

See All
No items found.
Lewsletter

Weekly notes on what I’m seeing

A personal letter I send straight to your inbox —reflections on crypto, wealth, time and life.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.