A few weeks ago I gave a presentation discussing the “flash loan” pattern and some of its security considerations.
This is a powerful DeFi primitive and it is good to know how it works and what to watch out for when auditing implementations of this pattern,
We don’t discuss “macro” vulnerabilities (like the recent pump and dump “hack”) because those aren’t really intrinsic to the flash loan pattern – any whale or coalition of attackers can do the same thing. Here we discuss only the security considerations that are intrinsic to flash loans. (Perhaps we can do a separate presentation on “macro” DeFi vulns that are available to whales, coalitions, and flash borrowers.)
A recording of the presentation can be found here:The Flash Loan Pattern - Presentation video 202
And the slides can be found here:
If the borrower can make the Lending contract call any arbitrary function on any arbitrary contract during the , then they can (among other things) drain the Lending contract of all of its ERC20 tokens.