5 Biggest Flash Loan Attacks & Stats
Flash loan attacks exploit vulnerabilities in DeFi protocols, resulting in staggering losses. Learn about the biggest flash loan attacks to date in our guide.
Read next: What are flash loans?
1. Euler Finance - $197 Million Stolen (2023)
Blockchain Protocol: Ethereum
Date of Act: March 13, 2023
Exploit Amount: $197M
Platform Type: Lending Protocol
Euler Finance suffered the largest flash loan attack in history, with an exploit amounting to $197 million. The hacker exploited a vulnerability in the DonateToReserve function, which created an imbalance between Euler’s token system, allowing them to misrepresent their collateral. By borrowing $30 million DAI via Aave, manipulating Euler’s token balances, and transferring the stolen funds through Tornado Cash, the attacker executed a highly sophisticated heist.
In a surprising twist, the attacker later returned the stolen funds, accompanied by an apology.
Read next: Best DeFi Protocols
2. Cream Finance - $130 Million Stolen (2021)
Blockchain Protocol: Ethereum
Date of Act: October 27, 2021
Exploit Amount: ~$130M
Platform Type: DeFi Lending
Cream Finance faced a $130 million exploit in 2021, targeting its Iron Bank and leveraging vulnerabilities in the Alpha Homora loan pool. The attacker created counterfeit deposits, manipulating the collateral system to drain funds.
Cream Finance responded with a comprehensive compensation plan and increased its security measures to rebuild user trust.
3. Beanstalk - $80 Million Stolen (2022)
Blockchain Protocol: Ethereum
Date of Act: April 17, 2022
Exploit Amount: $80M
Platform Type: Stablecoin Protocol
The Beanstalk exploit used a flash loan to seize control of its governance system. By temporarily acquiring significant voting power, the attacker approved a proposal to transfer $182 million in assets to their wallet. After repaying the flash loan, they retained a profit of $80 million.
This attack exposed the dangers of weak governance mechanisms in DeFi protocols.
Read next: What is a DAO?
4. PancakeBunny - $45 Million Stolen (2021)
Blockchain Protocol: Binance Smart Chain (BSC)
Date of Act: May 20, 2021
Exploit Amount: $45M
Platform Type: Yield Aggregator
The PancakeBunny attack was executed through price manipulation using a series of flash loans. The attacker artificially inflated the price of BUNNY tokens by borrowing large amounts of Binance Coin (BNB) and dumping the inflated tokens back into the market.
The result? BUNNY’s price plummeted from $146 to just $6.17, causing significant losses to token holders.
5. Alpha Finance - $37.5 Million Stolen (2021)
Blockchain Protocol: Ethereum
Date of Act: February 13, 2021
Exploit Amount: $37.5M
Platform Type: Leveraged Lending
Alpha Finance became the target of a highly complex flash loan attack. The hacker utilized a counterfeit “spell” contract to manipulate Alpha’s Iron Bank lending records, inflating their borrowing limits. This deception enabled the theft of $37.5 million.
In a peculiar move, the attacker tipped 1,000 ETH to the deployers of Alpha and Iron Bank and even made contributions to open-source projects.
Read next: What is a Rug Pull?
Why are crypto flash loan attacks so common?
Flash loan attacks are particularly common because of their unique features: speed, no-collateral requirements, and reliance on smart contracts. Malicious actors exploit these traits by manipulating prices, front-running trades, or taking advantage of logical flaws in smart contracts.
As well as this, DeFi is fast-paced and, by nature, decentralized. While this has clear benefits for innovation and control, it also comes with significant risk to protocols as anyone can access them and protocols may not have always been vetted as thoroughly as they could be.
To prevent such exploits, robust smart contract audits and enhanced security mechanisms are essential.
Read next: Lost & Stolen Crypto Taxes