Flash Loans Explained: How DeFi’s Uncollateralised Borrowing Works

Flash loans are one of the most technically innovative — and most dangerous — financial instruments ever built on a blockchain. They allow anyone to borrow millions of pounds worth of cryptocurrency with zero collateral, as long as the entire borrowed amount plus a fee is repaid within the same blockchain transaction. No credit checks. No security deposit. No identity verification. If the repayment is not included in the same transaction, the entire loan is automatically cancelled as if it never happened. This guide explains how flash loans work, who uses them legitimately, how they have been weaponised to drain hundreds of millions of pounds from DeFi protocols, and what the risks mean for UK crypto investors.

What Is a Flash Loan?

A flash loan is a type of uncollateralised loan available on certain decentralised finance protocols. Unlike a traditional loan — where a lender requires security, proof of income, or a credit assessment before advancing funds — a flash loan requires nothing from the borrower except the ability to repay within the same blockchain transaction block.

The mechanics exploit a fundamental property of how blockchain transactions work. On Ethereum, every transaction is atomic: it either completes entirely or fails entirely. There is no such thing as a transaction that partially executes. Flash loan protocols use this atomicity as the guarantee of repayment: the loan is advanced, the borrower uses the funds within the same transaction, the repayment is included in the same transaction, and only if all three steps succeed does the transaction finalise on the blockchain. If repayment is not included — because the arbitrage failed, the price moved, or the borrower simply tried to keep the money — the entire transaction reverts automatically and the lender’s funds are returned untouched.

Flash loans were first implemented by Aave, a decentralised lending protocol launched on Ethereum, in 2020. Aave charges a 0.09 per cent fee on flash loans. dYdX and Uniswap V2 later introduced their own flash loan mechanisms. As of 2026, hundreds of millions of pounds worth of flash loans execute on Ethereum and other EVM-compatible blockchains every day.

How Flash Loans Work: The Technical Mechanics

Understanding a flash loan requires understanding what happens within a single Ethereum transaction. Ethereum smart contracts can call other smart contracts within the same transaction, creating chains of interactions that complete atomically in what is effectively a single instant from the blockchain’s perspective.

A basic flash loan transaction works as follows. The borrower writes or uses a smart contract that first calls the flash loan protocol — Aave, for example — to borrow a specified amount, say 10 million USDC. The borrower then receives the 10 million USDC in the same transaction. The contract executes whatever operations are intended with those funds — purchasing tokens, repaying a debt, executing a trade on another protocol. Finally, it repays the 10 million USDC plus the 0.09 per cent fee — £9,000 in this example — in the same transaction. If all steps succeed, the transaction completes and is recorded on the blockchain. If any step fails, the entire transaction reverts.

The gas cost of executing a flash loan — the fee paid to Ethereum validators for processing the transaction — is typically between £5 and £50 depending on network congestion and the complexity of operations within the transaction. This makes flash loans extraordinarily capital-efficient: a borrower can access and use £10 million of liquidity for a total infrastructure cost of roughly £50.

Legitimate Uses: Arbitrage, Collateral Swaps, and Self-Liquidation

Flash loans exist because they enable valuable economic functions that are impossible or prohibitively expensive without uncollateralised access to large capital amounts.

Arbitrage is the most common legitimate use. When the same token trades at slightly different prices on two decentralised exchanges — say USDC/ETH at a different ratio on Uniswap versus Curve — a flash loan allows a trader to borrow a large amount, buy the cheaper version, sell it at the higher price, repay the loan plus fee, and pocket the difference, all within a single transaction. This arbitrage compresses price discrepancies across DeFi protocols, contributing to market efficiency. In traditional finance, this type of arbitrage is only accessible to well-capitalised institutions; DeFi flash loans democratise access to it.

Collateral swaps allow borrowers in DeFi lending protocols to switch their collateral type without closing their loan position. A borrower using ETH as collateral on Aave who wants to switch to Wrapped Bitcoin can use a flash loan to repay their outstanding debt, withdraw their ETH, sell it for WBTC, deposit the WBTC as new collateral, and re-borrow the original amount — all atomically. Without flash loans, this operation would require a separate source of capital to repay the debt first.

Self-liquidation allows borrowers to close their own positions before they are liquidated by third parties, saving the liquidation penalty. This recovers more capital for the borrower than a forced liquidation would, benefiting individual users while reducing protocol liquidity fragility.

Flash Loan Attacks: How Hackers Exploit Them

Flash loans have become the tool of choice for a new category of DeFi exploit — the flash loan attack. By providing instantaneous access to enormous amounts of capital without cost, flash loans allow attackers to manipulate prices within a single transaction in ways that would be impossible or prohibitively expensive with their own funds.

The typical flash loan attack exploits a price oracle vulnerability. Many DeFi protocols rely on on-chain price oracles — typically the instantaneous spot price of a token pair on a specific decentralised exchange — to determine how much collateral a user has or how much they can borrow. An attacker can borrow a massive amount of a token via flash loan, use it to dramatically move the price on the oracle exchange, exploit the artificially distorted price to extract value from the vulnerable protocol, and repay the flash loan — all within one transaction, before any protective mechanism can respond.

The entire attack sequence — borrow, manipulate, exploit, repay — takes a fraction of a second and costs only the gas fees to execute. The scale of damage is limited only by the amount available to borrow and the size of the protocol being attacked.

Famous Flash Loan Exploits and the Sums Lost

The bZx protocol in February 2020 was the first high-profile flash loan attack. An attacker used 10,000 ETH borrowed via flash loan to manipulate the price of WBTC on a relatively illiquid exchange used as bZx’s oracle, borrowing far more than they should have been entitled to. The initial attack netted approximately £317,000 — and was followed days later by a second bZx attack exploiting similar vulnerabilities for a further £500,000.

The Harvest Finance exploit in October 2020 used flash loans to repeatedly manipulate stablecoin prices on Curve, triggering arbitrage mechanisms within Harvest’s vaults. The attacker withdrew approximately £24 million in profits within minutes across multiple transactions.

The Euler Finance hack in March 2023 — among the largest flash loan exploits by value — used a complex attack against Euler’s lending protocol to drain approximately £145 million across multiple assets including DAI, WBTC, USDC, and ETH. The attacker subsequently returned the funds in April 2023 following negotiations with the Euler team, an unusual outcome illustrating the growing capability of blockchain analytics firms to identify exploit addresses and apply reputational and legal pressure.

Collectively, flash loan attacks have accounted for billions of pounds in DeFi protocol losses since 2020. Research by DeFi security firm Rekt Database estimated that flash loans were used in over 40 per cent of the largest DeFi exploits by value between 2020 and 2025.

Are Flash Loans Legal in the UK?

Flash loans themselves are not illegal in the UK. As a technical DeFi primitive — a feature of smart contracts deployed on public blockchains — using them for legitimate purposes such as arbitrage or collateral management does not violate any UK law.

However, using flash loans to manipulate markets or exploit protocol vulnerabilities is a different matter. The Financial Services and Markets Act 2000 and the UK’s retained Market Abuse Regulation prohibit market manipulation — intentionally distorting the price of a financial instrument. Whether DeFi tokens qualify as financial instruments under this regime is still being determined through regulatory guidance and case law, but the FCA has made clear that it takes market manipulation in cryptoassets seriously and has enforcement powers that may extend to on-chain manipulation even where the tokens are not formally regulated as traditional financial instruments.

UK individuals who use flash loans to execute exploits on DeFi protocols may also face Computer Misuse Act liability for unauthorised access to computer systems — the argument being that exploiting a vulnerability in a smart contract goes beyond authorised use of the protocol. Several international law enforcement operations have successfully prosecuted DeFi hackers under analogous domestic legislation.

The Risk to Ordinary Crypto Investors

Ordinary UK crypto investors who do not directly engage with DeFi protocols have limited direct exposure to flash loan risk. However, flash loan attacks do affect DeFi protocol token prices and broader market sentiment — a significant DeFi exploit typically causes widespread selling pressure across the DeFi sector as investors reassess risk.

UK investors using DeFi yield farming, liquidity provision, or lending protocols have direct exposure: if the protocol you deposit into is exploited via a flash loan attack, your deposited funds may be at risk of partial or total loss. Protocol audits by reputable security firms such as Trail of Bits, OpenZeppelin, or Certora reduce but do not eliminate this risk — several successfully audited protocols have subsequently been exploited via novel attack vectors.

Insurance protocols including Nexus Mutual offer coverage against smart contract exploits for DeFi depositors, typically at annual premiums of 2 to 5 per cent of the covered amount. UK investors with substantial DeFi positions should consider whether this insurance cost is justified relative to the yield they are earning and the protocol’s historical security track record.

What This Means for UK Investors

Flash loans are one of the genuinely novel financial innovations that DeFi has produced — creating capital-efficient tools that have no equivalent in traditional finance. Their legitimate uses support price discovery and capital efficiency across decentralised markets. Their exploitation potential has created billions in losses and illustrated that on-chain price oracles remain a critical vulnerability in DeFi protocol architecture.

For UK investors, the practical implication is that DeFi carries risks that go well beyond price volatility — including technical exploits that can drain protocol liquidity regardless of market conditions. Understanding that risk before committing funds to any DeFi protocol is essential due diligence. No DeFi protocol, regardless of its audit status or track record, can be considered free from flash loan exploit risk.

UK investors considering DeFi exposure should limit DeFi allocations to amounts they could afford to lose entirely, diversify across multiple protocols rather than concentrating in one, prefer protocols with long track records and multiple completed security audits, and monitor DeFi security news sources such as Rekt Database and DeFi Llama’s hack tracker.

This article is for educational purposes only and does not constitute financial advice. Cryptocurrency investments involve significant risk. Always do your own research.