Flash Loans Expose Growing Gap in DeFi Insurance

Flash loans themselves are not the problem — vulnerable code is


whitehoune/Shutterstock.com modified by Blockworks


Flash loan attacks are not common — but their consequences are dire.

Most recently, decentralized finance (DeFi) lending and borrowing protocol Euler Finance booked a $197 million loss in a flash loan attack.

The attacker exploited a vulnerable code, Euler Labs, the team behind the Euler Finance protocol, said in a tweet, tricking it into believing there were fewer collateral tokens than debt tokens.

“As a result, the attacker was able to liquidate these underwater accounts and profit from the liquidation bonuses,” the company tweeted

Hugh Karp, the founder of Nexus Mutual, a smart contract insurance company, told Blockworks that flash loans themselves —  where traders are able to borrow cryptocurrencies without any collateral and return assets within the same transaction — are not the problem.

“Flashloans sound sexy, but all flash loans do is allow a hacker to conduct the attack without having spare funds lying around,” Karp said. “The attack would have been exploitable without the use of flash loans.”

Blockworks Research analyst Ren Yu Kong said that, ultimately, a fundamental vulnerability exists within the smart contract for a flash loan attack to happen. 

“Flash loan attacks are as preventable as any other attack vector, and at the day it still requires developers to go through various security audits and take into account flash loans as an attack vector when writing the code,” Kong said.

The real problem, though, according to Karp, is whether humans are capable of creating secure software free of defects. 

“While that’s possible, it is quite difficult as even the most security-focused teams, such as NASA and teams within the aviation industry, struggle with this,” Karp said.

Even if DeFi security continues to improve, the possibility of failure is rather inevitable — at some point. 

“DeFi cover providers have to be very careful with their risk selection and in their risk management practices, like setting exposure limits and adequately pricing risk. There are no shortcuts,” Karp said.

Jesse Pollack, Coinbase’s protocol lead, said in a tweet that in order to prevent further attacks, “better insurance primitives and coverage need to be a part of the solution.”

Existing DeFi insurance is underpriced, according to Kong — considering it’s often marketed as yield, though the costs associated with an insurance premium could potentially outweigh the downside protection it provides.

“That’s a combination of exploits in DeFi generally being all or nothing — if a protocol gets exploited, more often than not everything is gone — and a much higher percentage chance of an exploit occurring than insurance underwriters price,” Kong said. 

Another solution, a Twitter user who goes by Duncan said, is bringing in more audits to cover soft exploits, adding that there are a “ton of different examples right now” along those lines.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Templates.png


ZKPs enable efficient offchain transaction processing and validation, resulting in increased throughput and reduced fees. Solana's ZK Compression leverages ZKPs to minimize onchain storage costs, while Sui's zkLogin streamlines user onboarding by replacing complex key management with familiar OAuth credentials.


Plus, is Polymarket this cycle’s breakthrough mainstream app?


The crypto asset manager lowered its planned fee from 0.25% to 0.15%, undercutting its competitors


Plus, a look at planned ETH ETF fees and how they differ from their BTC counterparts


North Korea suspected in breach of Indian exchange’s multisig wallet


Plus, Sanctum’s CLOUD token has officially launched — but not without problems


It’s not yet clear whether Donald Trump is pumping bitcoin. But an unofficial memecoin is still seeing benefit.