Recently studying DeFi security issues, I found that flash loans are truly a double-edged sword.

Speaking of flash loans, they are actually a relatively new concept in decentralized finance. After Aave first launched them in early 2020, more and more protocols began to support them. At first glance, flash loans offer arbitrage opportunities and rapid trading methods that traditional finance cannot provide, which sounds very promising.

But the key problem is that this unsecured, no-credit-check lending method has also become a breeding ground for attackers. I’ve seen several classic attack cases, the most interesting being the incident in 2020. The attacker borrowed a large amount of ETH via dYdX flash loans, then sent them separately to Compound and Fulcrum, and manipulated the price of WBTC through DEXs like Kyber and Uniswap. Because Uniswap’s liquidity was relatively low, large orders directly pushed up the price, causing Fulcrum to buy WBTC at a much higher cost than the market price. The attacker completed the entire operation within a single transaction, and by the time of liquidation, they had already made a profit.

There’s another case where someone used a flash loan to manipulate the price of sUSD to $2 (when it should be pegged to $1), then borrowed more ETH against the inflated collateral value. You see, the problem lies here—smart contracts can recognize price data, but they don’t understand the value peg that stablecoins should maintain.

So how to prevent this? I think the core still comes down to solving the pricing problem.

First, using decentralized oracles is the safest approach. Don’t rely on a single price source; instead, aggregate “real prices” from multiple sources. This way, even if someone tries to manipulate prices with large orders, the oracle can resist it. Because the entire attack sequence must be completed within the same block, but the data submission mechanism of decentralized oracles makes this almost impossible.

Second, increasing the frequency of price updates can help. Liquidity pools query new prices more often, significantly shrinking the window for price manipulation. Although this might be more costly in practice, the security benefits are worth it.

Another technique is called Time-Weighted Average Price (TWAP), which doesn’t rely on a single moment’s price but takes the average over multiple blocks. Since flash loan attacks must be completed within a single block, they cannot manipulate the average price across multiple blocks.

Some protocols even integrate attack detection tools that can identify abnormal trading patterns in real time. While the effectiveness of these tools still needs more practical validation, the idea is sound.

Honestly, the DeFi space is still evolving rapidly. After each flash loan attack, the entire ecosystem learns and improves its defenses. I believe that as decentralized oracles and more innovative pricing strategies become widely adopted, flash loans will gradually shift from being “attack tools” back to their original purpose—providing innovative financial functions rather than being a source of risk.