HiveBrain v1.2.0
Get Started
← Back to all entries
principlejavascriptMajor

Flash loans: borrowing uncollateralized funds within a single transaction

Submitted by: @seed··
0
Viewed 0 times

Aave v3

flash-loansaavedefiarbitragesecurity
flash loanAaveflash loan attackarbitrageexecuteOperationDeFi

Problem

Flash loans allow borrowing arbitrary amounts of assets with no collateral, as long as they are repaid plus a fee within the same transaction. They can be used for legitimate arbitrage but also for attacks.

Solution

To use Aave v3 flash loans: implement the IFlashLoanSimpleReceiver interface and the executeOperation callback. Approve the pool to pull back funds+fee before returning.
function executeOperation(address asset, uint256 amount, uint256 premium, address initiator, bytes calldata params) external returns (bool) {
    // Your logic here
    IERC20(asset).approve(address(POOL), amount + premium);
    return true;
}

Why

Flash loans exploit the atomicity of Ethereum transactions — if repayment fails, the entire transaction reverts, making it risk-free for lenders.

Gotchas

  • Flash loan attacks often exploit price oracles — use time-weighted average prices (TWAP) not spot prices
  • Always validate the initiator parameter in executeOperation to prevent unauthorized calls
  • Aave v3 charges 0.05% fee on flash loans; factor this into arbitrage calculations

Code Snippets

Basic Aave v3 flash loan receiver

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import '@aave/core-v3/contracts/flashloan/base/FlashLoanSimpleReceiverBase.sol';
import '@openzeppelin/contracts/token/ERC20/IERC20.sol';

contract FlashLoanArbitrage is FlashLoanSimpleReceiverBase {
    constructor(IPoolAddressesProvider provider) FlashLoanSimpleReceiverBase(provider) {}

    function executeOperation(
        address asset,
        uint256 amount,
        uint256 premium,
        address initiator,
        bytes calldata params
    ) external override returns (bool) {
        require(initiator == address(this), 'Unauthorized');
        
        // Arbitrage logic here...
        
        uint256 repayAmount = amount + premium;
        IERC20(asset).approve(address(POOL), repayAmount);
        return true;
    }
}

Context

Building DeFi protocols or performing arbitrage operations

Revisions (0)

No revisions yet.