A flash loan works because of a property unique to blockchains called atomicity: a transaction either completes every instruction it contains or none of them, with no partial outcome possible. That guarantee lets a lending protocol hand over funds with zero upfront collateral, because if the borrower's code fails to repay the loan plus a small fee before the transaction ends, the sequence is automatically undone as if it had never happened. The lender takes on no credit risk at all.
The whole operation runs inside code the borrower writes in advance. A single smart contract requests the funds on a network like Ethereum, executes a chain of pre-programmed actions using that capital, and returns the principal plus fee, all within one transaction lasting seconds. Since nothing is held over time, the only real cost is the network's gas fee.
- Arbitrage: buying an asset cheaply on one exchange and selling it higher on another without tying up any personal capital.
- Collateral swaps: replacing the collateral behind an existing loan without first paying it off.
- Self-liquidation: closing an undercollateralized position on favorable terms before a liquidation bot can seize it at a penalty.
Aave popularized flash loans in 2020, and other protocols such as dYdX and Uniswap later built comparable features. The same mechanism has also become a common attack vector: with no capital at risk, an attacker can borrow enormous sums to manipulate price oracles, sway governance votes, or trigger a flawed accounting function, all inside one transaction. The 2023 Euler Finance exploit, which drained roughly $197 million before the attacker returned most of the funds, remains the largest flash loan attack on record. The risk lies in exploitable logic elsewhere in DeFi, not in the loan mechanism itself.