Michelle Legge
By Michelle LeggeHead of Crypto Tax Education
Updated Dec 13, 2024
This article has been fact checked and reviewed as per our editorial policy.

5 Biggest Flash Loan Attacks & Stats

Flash loan attacks exploit vulnerabilities in DeFi protocols, resulting in staggering losses. Learn about the biggest flash loan attacks to date in our guide.

1. Euler Finance - $197 Million Stolen (2023)

  • Blockchain Protocol: Ethereum

  • Date of Act: March 13, 2023

  • Exploit Amount: $197M

  • Platform Type: Lending Protocol

Euler Finance suffered the largest flash loan attack in history, with an exploit amounting to $197 million. The hacker exploited a vulnerability in the DonateToReserve function, which created an imbalance between Euler’s token system, allowing them to misrepresent their collateral. By borrowing $30 million DAI via Aave, manipulating Euler’s token balances, and transferring the stolen funds through Tornado Cash, the attacker executed a highly sophisticated heist.

In a surprising twist, the attacker later returned the stolen funds, accompanied by an apology.

Read next: Best DeFi Protocols

2. Cream Finance - $130 Million Stolen (2021)

  • Blockchain Protocol: Ethereum

  • Date of Act: October 27, 2021

  • Exploit Amount: ~$130M

  • Platform Type: DeFi Lending

Cream Finance faced a $130 million exploit in 2021, targeting its Iron Bank and leveraging vulnerabilities in the Alpha Homora loan pool. The attacker created counterfeit deposits, manipulating the collateral system to drain funds.

Cream Finance responded with a comprehensive compensation plan and increased its security measures to rebuild user trust.

3. Beanstalk - $80 Million Stolen (2022)

  • Blockchain Protocol: Ethereum

  • Date of Act: April 17, 2022

  • Exploit Amount: $80M

  • Platform Type: Stablecoin Protocol

The Beanstalk exploit used a flash loan to seize control of its governance system. By temporarily acquiring significant voting power, the attacker approved a proposal to transfer $182 million in assets to their wallet. After repaying the flash loan, they retained a profit of $80 million.

This attack exposed the dangers of weak governance mechanisms in DeFi protocols.

Read next: What is a DAO?

4. PancakeBunny - $45 Million Stolen (2021)

  • Blockchain Protocol: Binance Smart Chain (BSC)

  • Date of Act: May 20, 2021

  • Exploit Amount: $45M

  • Platform Type: Yield Aggregator

The PancakeBunny attack was executed through price manipulation using a series of flash loans. The attacker artificially inflated the price of BUNNY tokens by borrowing large amounts of Binance Coin (BNB) and dumping the inflated tokens back into the market.

The result? BUNNY’s price plummeted from $146 to just $6.17, causing significant losses to token holders.

5. Alpha Finance - $37.5 Million Stolen (2021)

  • Blockchain Protocol: Ethereum

  • Date of Act: February 13, 2021

  • Exploit Amount: $37.5M

  • Platform Type: Leveraged Lending

Alpha Finance became the target of a highly complex flash loan attack. The hacker utilized a counterfeit “spell” contract to manipulate Alpha’s Iron Bank lending records, inflating their borrowing limits. This deception enabled the theft of $37.5 million.

In a peculiar move, the attacker tipped 1,000 ETH to the deployers of Alpha and Iron Bank and even made contributions to open-source projects.

Read next: What is a Rug Pull?

Why are crypto flash loan attacks so common?

Flash loan attacks are particularly common because of their unique features: speed, no-collateral requirements, and reliance on smart contracts. Malicious actors exploit these traits by manipulating prices, front-running trades, or taking advantage of logical flaws in smart contracts

As well as this, DeFi is fast-paced and, by nature, decentralized. While this has clear benefits for innovation and control, it also comes with significant risk to protocols as anyone can access them and protocols may not have always been vetted as thoroughly as they could be. 

To prevent such exploits, robust smart contract audits and enhanced security mechanisms are essential.

Read next: Lost & Stolen Crypto Taxes

A banner with the Koinly Logo inviting crypto investors to Calculate Your Crypto Taxes with Koinly, a crypto tax calculator

Disclaimer
The information on this website is for general information only. It should not be taken as constituting professional advice from Koinly. Koinly is not a financial adviser. You should consider seeking independent legal, financial, taxation or other advice to check how the website information relates to your unique circumstances. Koinly is not liable for any loss caused, whether due to negligence or otherwise arising from the use of, or reliance on, the information provided directly or indirectly, by use of this website.