defirisk.co
rubric v1.7.0

Flash loan >$10M targeting protocol tokens

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a flash loan origination exceeding $10M is observed in the mempool or on-chain, where the loaned assets are protocol tokens or LP tokens, or where the subsequent transaction flow is directed toward the monitored protocol. The $10M threshold is configurable per protocol tier. Flash loan originations are detected via mempool monitoring combined with known flash-loan-provider event signatures (Aave, dYdX, Balancer, Uniswap V3). Category 6 context: while flash loans are legitimate DeFi infrastructure, their combination with protocol-token denomination and immediate protocol interaction is the defining pattern of the flash-loan-amplified exploit class.

**Why it matters** Flash-loan-amplified exploits account for more than 20 data points in the T-01 hack database, representing the largest single on-chain exploit class. Cetus Protocol ($223M) initiated flash loans of 56,700 SUI at exploit start, repeated for each subsequent pool. Euler Finance ($197M) involved flash loans combined with leverage-creating eToken/dToken positions in a single block. PancakeBunny ($45M) used eight simultaneous flash loans from different providers — a highly anomalous pattern. The synthesis document notes: "Flash loans are infrastructure, not a signal" — but flash loans correlated with protocol-token interaction and large notional size cross the threshold into a meaningful exploit-in-progress indicator.

**Green / Yellow / Red** Green is the baseline when all flash loan originations directed at the protocol are below the threshold or involve non-protocol assets in patterns consistent with legitimate arbitrage. Yellow fires when a large flash loan originates targeting protocol-adjacent assets but the subsequent transaction pattern is not consistent with known exploit templates. Red fires when a flash loan exceeding $10M in protocol tokens originates and the subsequent transaction flow matches known-exploit-class interaction patterns (oracle manipulation, governance attack, reentrancy setup).

**Common gray cases** Gray applies when the protocol itself uses flash loans as a core mechanism (e.g., a flash-loan provider protocol), making it impossible to distinguish internal from external flash loan originations.

**Notable historical examples** - **Cetus Protocol** ($223M, 2025): Flash loan of 56,700 SUI at exploit initiation; repeated for each subsequent pool drain. - **Euler Finance** ($197M, 2023): Flash loans combined with leverage positions in a single block; extreme eToken/dToken imbalance. - **Fei/Rari Fuse** ($80M, 2022): Large flash loans followed by immediate borrow-and-exit sequences. - **PancakeBunny** ($45M, 2021): Eight simultaneous flash loans from different providers — highly anomalous. - **Harvest Finance** ($33.8M, 2020): $50M flash loan from Uniswap initiated each of the 32 manipulation cycles.

Measurement what to look for #

Detect whether a flash loan >$10M denominated in protocol tokens or LP tokens has originated, likely to interact with this protocol.

Data & output #

Data source
Aave/Uniswap/Balancer flash-loan provider events + protocol token address filter
Output format
Green / Yellow / Red
Evidence artifact
Flash-loan tx hash + originating protocol + amount USD + borrower address
Confidence signal
green = signal not firing; red = flash loan above threshold detected; gray = flash-loan monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-100
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base green Axelar Network ethereum not_applicable Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_assessed Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum not_applicable Hyperliquid arbitrum gray Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana green Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana green mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana not_applicable PancakeSwap bsc yellow Pendle Finance ethereum green Polymarket polygon not_assessed QuickSwap polygon not_applicable Raydium solana gray Rocket Pool ethereum green Sanctum solana not_applicable Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
0 red · 5 yellow · 38 green

Linked hacks 32 historical incidents #

illustrativeShibarium (Bridge) — Flash Loan Validator Capture → Fraudulent Checkpoint → Bridge Drain2025-09-12 · $3M · Flash Loan Validator Capture → Fraudulent Checkpoint → Bridge Drain · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 4.6M BONE flash-purchased in same block as exploit; validator power spiked anomalously]
illustrativeCetus Protocol — Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math2025-05-22 · $223M · Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N + detail): YES** — Flash loan of 56,700 SUI at exploit initiation. Repeated flash loans for each subsequent pool.]
illustrativeVelocore — Fee Multiplier Manipulation + Underflow → Liquidity Token Mint2024-06-02 · $7M · Fee Multiplier Manipulation + Underflow → Liquidity Token Mint · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan as part of exploit sequence]
illustrativeSonne Finance — Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation2024-05-14 · $20M · Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — Massive flash-loan-funded borrowing across multiple markets in a single transaction]
illustrativeHedgey Finance — Unverified User Input — Flash Loan Enabled Approval Manipulation2024-04-19 · $45M · Unverified User Input — Flash Loan Enabled Approval Manipulation · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — $1.3M Balancer flash loan used as attack capital]
illustrativeWooFi (WooPPV2) — Flash loan → WOO oracle price manipulation → pool swap drain2024-03-05 · $9M · Flash loan → WOO oracle price manipulation → pool swap drain · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — the attacker used a flash loan to pump and manipulate WOO price; detectable as an unusually large flash loan on a low-liquidity token]
illustrativeYearn Finance (legacy iearn TUSD V1 vault — deployed 2020) — Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain2023-12-16 · $293K · Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 30M USDC Morpho flash loan is a strong signal on a legacy vault with minimal TVL]
illustrativeKyberSwap Elastic — Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case2023-11-22 · $48M · Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — flash loans used to bootstrap tick manipulation]
illustrativeRaft — Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump2023-11-10 · $3M · Flash loan + collateral inflation via position liquidation → infinite R mint → stablecoin dump · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 6.7M R minted in a single transaction against flash-loan-inflated collateral]
illustrativeConic Finance — Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool2023-07-21 · $4M · Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 20K stETH flash loan]
illustrativeEuler Finance — Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)2023-03-13 · $197M · Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade) · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N + detail): YES** — The attack involved taking flash loans and using Euler's leverage system to create extreme eToken/dToken positions in a single block...]
illustrativeSovryn — External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn2022-10-04 · $1M · External call reentrancy via callTokensToSend — token price inflation via mid-transaction mint → overclaim via burn · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan borrow followed by abnormal series of side token conversions]
illustrativeNirvana Finance — Flash Loan + AMM Price Manipulation (Treasury Drain)2022-07-28 · $4M · Flash Loan + AMM Price Manipulation (Treasury Drain) · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — $10M flash loan from Solend]
illustrativeFei Protocol / Rari Capital (Fuse) — Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern2022-04-30 · $80M · Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loans followed by immediate borrow-and-exit sequences visible on-chain]
illustrativeElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 131K WBNB + 91M BUSD flash loan from PancakeSwap is anomalous]
illustrativeDeus DAO (DEI lending contract) — Flash loan oracle manipulation via Solidly AMM pool → user position liquidation2022-03-15 · $3M · Flash loan oracle manipulation via Solidly AMM pool → user position liquidation · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 24.7M DEI flash loaned from oracle pool]
illustrativeDeus DAO (1st incident) — Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated2022-03-15 · $3M · Flash loan → spot price manipulation of Solidex USDC/DEI AMM pool (used as oracle) → user positions liquidated · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — large DEI flash loan from the oracle pool itself]
illustrativeIndexed Finance — Flash Loan — Rebalancing Delay Pool Oracle Manipulation2021-10-14 · $16M · Flash Loan — Rebalancing Delay Pool Oracle Manipulation · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — flash loans of pool assets used to manipulate reference token balance]
illustrativeCream Finance — ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update2021-08-30 · $19M · ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Yes — detectable in-exploit**: 17 sequential transactions each involving a flash loan + double borrow cycle. Reentrancy within borrow would ...]
illustrativePopsicle Finance (Sorbetto Fragola) — Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint2021-08-04 · $20M · Fee Accounting Bug — LP Token Transfer Without Reward Checkpoint · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — large multi-asset AAVE flash loan]
illustrativePancakeBunny (Polygon deployment — polyBUNNY) — Flash Loan + Reward Minting Manipulation (Performance Fee Inflation)2021-07-18 · $2M · Flash Loan + Reward Minting Manipulation (Performance Fee Inflation) · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — large AAVE flash loan]
illustrativeAutoShark Finance — Flash loan + SharkMinter balance spoofing → excess native token minting2021-06-01 · $745K · Flash loan + SharkMinter balance spoofing → excess native token minting · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 100K BNB flash loan]
illustrativeBelt Finance — Flash Loan + Price/Share Manipulation (Incorrect Share Valuation)2021-05-29 · $6M · Flash Loan + Price/Share Manipulation (Incorrect Share Valuation) · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 8 simultaneous flash loans from PancakeSwap ($385M BUSD)]
illustrativeBurgerSwap — Reentrancy via non-standard BEP-20 + missing x*y=k invariant check2021-05-28 · $7M · Reentrancy via non-standard BEP-20 + missing x*y=k invariant check · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 6,000 WBNB flash swap]
illustrativePancakeBunny — Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting2021-05-19 · $45M · Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 8 simultaneous flash loans from different sources is highly anomalous]
illustrativebEarnFi (BvaultsBank) — Logic bug — token denomination mismatch between vault and strategy layers2021-05-16 · $18M · Logic bug — token denomination mismatch between vault and strategy layers · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan from CREAM ($7.8M BUSD) as exploit initiator]
illustrativeSpartan Protocol — Flash loan + inflated pool balance → LP burn liquidity share manipulation2021-05-01 · $31M · Flash loan + inflated pool balance → LP burn liquidity share manipulation · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 100K WBNB flash loan ($61M notional)]
illustrativeBT Finance + Growth DeFi (two separate hacks, one article) — BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection2021-02-09 · $2M · BT Finance: Flash Loan Price Manipulation; Growth DeFi: Fake Token LP Injection · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y (BT Finance — large flash loan)]
illustrativeYearn Finance (yDAI v1 vault) — Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration2021-02-04 · $11M · Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 116K ETH flash from dYdX + 99K ETH from Aave + 134M USDC + 129M DAI from Compound is one of the largest coordinated flash borrowing even...]
illustrativeOrigin Protocol (OUSD) — Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain2020-11-17 · $8M · Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 70,000 ETH flash loan from dYdX (very large flash loan for November 2020)]
illustrativeHarvest Finance — Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain2020-10-26 · $34M · Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — $50M flash loan from Uniswap initiated each cycle]
illustrativeEminence Finance (EMN) — Flash loan + bonding curve arbitrage (buy/burn/sell cycle)2020-09-28 · $15M · Flash loan + bonding curve arbitrage (buy/burn/sell cycle) · Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan from Uniswap pool visible on-chain]
rubric_version v1.7.0 factor RD-F-100 category 6 carried 80 critical no