Emerging Threats in DeFi: Oracle Attacks, Flash Loans & How to Stay Safe

B
BlockGuard Team
DeFi Oracle Attacks Flash Loans Multi-Sig Hacks Smart Contract Bugs
Emerging Threats in DeFi: Oracle Attacks, Flash Loans & How to Stay Safe

Decentralized Finance (DeFi) continues to expand across Ethereum and Layer-2 networks, locking in billions of dollars in smart contracts. However, this growth has been shadowed by a wave of sophisticated exploits. In 2024 alone, blockchain hacks (many targeting DeFi protocols) led to roughly $730 million in losses. Attackers have refined techniques like price oracle manipulation and flash loan exploits to drain funds, while new threat vectors – from multi-signature wallet compromises to novel smart contract bugs – have emerged. This report explores the most notable DeFi attack vectors of 2024–2025 on Ethereum and its Layer-2 ecosystems, illustrated by recent high-profile exploits, and provides actionable security tips for both developers and everyday users to protect their funds.

alt text

Figure: Top 10 DeFi attack vectors in 2024 by total losses and number of incidents (Jan–Nov). Stolen private keys were the single largest cause of losses ($449M), followed by price oracle manipulation exploits ($52M across 37 incidents). Even well-known bugs like reentrancy still accounted for significant losses, underscoring the need for rigorous security practices in DeFi.

Oracle Manipulation Attacks – Pricing the Unthinkable

One major threat in 2024–25 is price oracle manipulation – where attackers exploit how DeFi protocols fetch asset prices. Many DeFi platforms rely on on-chain exchanges or custom oracles for token prices. If those sources are thinly traded or unprotected, a hacker can swing the price and mislead the protocol’s logic. These attacks often use flash loans and aggressive trading to temporarily inflate or deflate a token’s price, tricking protocols into overvaluing the attacker’s assets (or undervaluing liabilities) so they can steal funds.

For example, in November 2024 an attacker targeted Polter Finance on Fantom. Polter’s lending protocol used the DEX SpookySwap as the price source for the BOO token. By taking out large flash loans and momentarily pulling liquidity, the attacker artificially pumped BOO’s price to astronomical levels. In one instance, a tiny deposit of BOO was suddenly valued at $1.37 trillion in collateral. The hacker then borrowed against this phantom collateral and escaped with about $12 million, leaving Polter Finance with worthless collateral and bad debt. The root cause was an oracle design failure, the protocol’s UniV2 price adapter didn’t sanity-check the DEX price against historical data or limits, so it accepted the manipulated price as genuine.

Oracle exploits are not limited to volatile tokens; even yield-bearing stablecoins can be abused. In February 2024, a “donation attack” was executed on Mountain Protocol’s wrapped stablecoin wUSDM. The attacker borrowed ~$4 million via flash loan and “donated” it into the wUSDM vault, artificially inflating the vault’s exchange rate from 1.06 to 1.70. They then used the overvalued wUSDM as collateral on Venus Protocol (a lending platform) and performed self-liquidations to profit about $200,000, while Venus was left with over $716,000 in losses due to the bad price feed. In essence, the vault’s oracle thought each wUSDM was worth $1.70, allowing the attacker to borrow far more against it than it was truly worth.

Such oracle manipulation attacks ranked as the second most prevalent DeFi attack vector in 2024, with dozens of incidents causing over $50 million in losses. Mitigations are critical: protocols should use robust oracle mechanisms (ideally decentralized price oracles like Chainlink or Uniswap TWAPs) and implement sanity checks or circuit-breakers. Time-weighted average prices (TWAP) can smooth out momentary spikes, and comparing multiple price sources can detect anomalies. In the wUSDM case, the post-mortem noted that using a cross-chain oracle or capping the vault’s reported yield could have prevented the attack – indeed, platforms like Aave have introduced capped oracles (the CAPO system) to prevent implausible price jumps. The key lesson: don’t trust a single source blindly – if a price input suddenly implies a token market cap larger than the entire crypto market, something is wrong!

Flash Loan Exploits – Money for Nothing (in One Block)

Flash loans remain one of the most notorious tools in the attacker’s toolkit. A flash loan lets anyone borrow a huge sum of cryptocurrency with no collateral, as long as the loan is paid back within the same transaction. This means an attacker can marshal millions of dollars for a few seconds to execute complex multi-step exploits – essentially “free” money to leverage any weakness. Since the concept was first used in DeFi hacks in 2020, flash loans have only grown more common and were implicated in many 2024 exploits.

Flash loans by themselves are not bugs – rather, they enable attackers to bypass normal constraints (capital, collateral, timing) and hit protocols with extreme scenarios that weren’t anticipated. By chaining multiple actions in one atomic transaction, a flash loan attack can manipulate prices, execute trades, and steal funds all before any external party can intervene. As one security analysis noted, attackers often use flash loans to distort liquidity pools or exchange rates, then profit from under-collateralized loans or arbitrage opportunities created by the distortion. The entire attack completes (and the loan is repaid) in one block, so from the protocol’s perspective, the theft happens instantaneously.

A case in point is the Radiant Capital exploit on Arbitrum in January 2024. Radiant is a cross-chain money market, and a hacker found a weakness in how a newly launched USDC lending pool updated its interest rate index. The attacker took a large flash loan and manipulated this “liquidity index” on Radiant’s fresh USDC market, allowing them to rapidly siphon funds. By the time the transaction was over, $4.5 million in ETH had been drained from Radiant, leaving the protocol with bad debt and forcing a pause of its lending operations. In another 2024 incident, an attacker used flash loans on Uniswap and Balancer to inflate the price of a stablecoin derivative (gDAI) and bypass a price change threshold, illustrating how flash loans can circumvent protective checks if not carefully designed. Flash loans have even been used to momentarily seize majority voting power in governance attacks – a flash loan in 2022 enabled the infamous Beanstalk governance hack that stole $182 million by passing a malicious proposal in one swoop.

Because flash loans can introduce extreme conditions, DeFi developers must assume attackers have access to unlimited instant liquidity. Mitigations include designing systems that don’t rely on a single-block price or state (for example, requiring multi-block observation for price feeds or cooldown periods for certain actions). Some protocols add rate limits or spread constraints so that, say, an interest rate or token supply cannot change too drastically in one block. It’s also wise to reduce dependencies that an attacker could exploit in a chain – for instance, if your protocol accepts another protocol’s LP token as collateral, be aware that token’s value could be flash-manipulated unless you use a safeguarded oracle. Ultimately, flash loans are here to stay (they also have legitimate uses), so the onus is on developers to eliminate “fee-free arbitrage” situations and ensure one-transaction exploits are as difficult as possible.

Other Emerging Threats and Attack Vectors

Beyond oracles and flash loans, a variety of novel threats have materialized in the DeFi ecosystem. Attackers in 2024 got creative, targeting not just code bugs but also the very governance and management of protocols:

  • Admin Key & Multi-Sig Compromises: Some of the largest DeFi heists weren’t traditional hacks at all, but inside jobs or key thefts. In early 2024, the Orbit Bridge project (a cross-chain bridge on Ethereum) lost $80 million when hackers gained control of its multi-signature admin wallet. Later in the year, Radiant Capital fell victim again – not to a smart contract bug, but to a sophisticated multi-sig attack. Radiant’s upgradeable contracts were secured by a 3-of-11 multi-sig. Attackers used malware to deceive three trusted signers into approving what looked like legitimate transactions, while in reality they were signing a malicious contract upgrade. Once the attackers gained control, they upgraded Radiant’s pool contracts to siphon user funds (using existing token approvals) and ultimately stole about $53 million. This kind of off-chain attack exploits human and procedural weaknesses – too low a threshold for multi-sig, signer devices not being properly verified, etc. It highlights that protocol security is not just about code: teams must also protect private keys, use high signer thresholds, and implement safety practices (like out-of-band transaction verification) to thwart social engineering.

  • Governance Exploits: Decentralized protocols often let token holders vote on changes. Unfortunately, if a malicious actor accumulates enough voting power, they can propose and pass changes that redirect funds. The Beanstalk attack (2022) was a dramatic example – using a flash loan to get instant majority and approve a withdrawal of all funds. In 2024, governance attacks were fewer but still notable (about $30M in losses). For instance, an attacker in one case used borrowed tokens and delegated votes to narrowly push through a governance proposal in their favor. Mitigations include timelocks on governance actions (so users can withdraw if a bad proposal passes) and quorum thresholds that make governance takeovers more difficult. Some protocols even exclude borrowed tokens from voting to prevent flash loan abuse.

  • Reentrancy & Smart Contract Bugs: Classic smart contract vulnerabilities like reentrancy (where a malicious contract repeatedly calls back into a victim contract before state updates finalize) continue to plague DeFi, sometimes in new forms. A high-profile example was the PenPie Finance hack in September 2024. PenPie, a yield aggregator on Arbitrum, had a staking contract that let users harvest rewards from Pendle Finance markets. The contract mistakenly assumed only legitimate Pendle markets would be used – but the attacker deployed a fake market contract with a malicious yield token. By exploiting a missing reentrancy guard in PenPie’s harvestBatchMarketRewards function, the attacker repeatedly claimed rewards reentrantly through the fake market, inflating their reward balance before the contract could update balances. In this way, they drained about $27 million from PenPie. This occurred even though PenPie had been audited, showing that well-understood bugs can slip through if audits/tests aren’t thorough enough. Similarly, other logic flaws and lack of input validation caused trouble in 2024 – e.g., the DeltaPrime exploit (Nov 2024) where an under-collateralized lending protocol on Avalanche/Arbitrum let an attacker pass unchecked parameters to a debt swap function and a reward claim, enabling unauthorized borrowing and reward theft totaling ~$4.8M. We also saw errors like uninitialized variables, unchecked access controls, and math precision bugs contribute to incidents.

  • Malicious Insiders and Rug Pulls: Not all threats come from external hackers. Rogue developers or insiders can intentionally exploit or shut down their own protocols. In a “rug pull”, devs withdraw liquidity or assets, leaving users with worthless tokens. 2024 had several cases of insider malfeasance – for instance, one project saw a developer stealthily insert an upgradeable backdoor to mint tokens and abscond with $62M in ETH. In total, “malicious insider” incidents (including rug pulls) accounted for an estimated $95M of DeFi losses in 2024. The best defense here is community vigilance: prefer projects with reputable teams, multi-sig controls on admin powers, and transparent governance that makes it hard for one actor to suddenly run off with funds.

Safeguarding DeFi – Best Practices for Developers and Users

While the list of threats is long, there are concrete steps that DeFi developers and everyday users can take to reduce risk. Learning from past exploits is key. Below we outline practical tips to improve security on both sides:

For DeFi Developers (Secure Protocol Design)

  • Use Robust, Manipulation-Resistant Oracles: Price oracles should pull data from multiple sources or use time-weighted averaging to prevent single-source manipulation. Avoid relying on thin DEX pairs. Implement sanity checks for extreme price changes – for example, cap how much an asset’s price can move within one block or use oracle services like Chainlink that aggregate many exchanges. For interest-bearing or derivative tokens, consider capped oracles (as Aave’s CAPO does) to limit unrealistically high valuations.

  • Thorough Auditing and Testing: Prioritize extensive security reviews before deployment. Use multiple independent audits and incorporate formal verification or peer reviews for critical logic. Employ tools like fuzzers and static analyzers to catch edge-case bugs. Known vulnerabilities (reentrancy, integer overflow, etc.) should be explicitly tested and guarded. It’s telling that a reentrancy flaw cost PenPie $27M – a bug that “should no longer be a threat on Ethereum” if proper patterns (like checks-effects-interactions or ReentrancyGuard) are used. Don’t assume well-trod code is bug-free; keep testing as you iterate.

  • Implement Flash Loan Defenses: If your protocol’s logic can be abused in a single transaction (e.g. price calculations or state updates that assume normal user behavior), add friction. Use time delays or multi-block observation for actions like large asset swaps, oracle updates, or governance votes. Introduce rate limits on how fast collateral values or debt ratios can change. For example, requiring an action to take place over two blocks breaks the atomicity that flash loan attackers rely on. Where feasible, check not just if an action is mathematically allowable, but whether it makes sense (e.g. if a user deposits 0.001 ETH and somehow borrows 10,000 ETH, halt that transaction).

  • Strong Access Controls & Key Management: Secure the administrative keys that control upgrades, parameter changes, or treasury movements. Use a multi-signature wallet with a high threshold (e.g. 4-of-5 or higher) so no single key compromise is fatal. Keep signer devices and seed phrases strictly secured (hardware wallets, no single individual controlling many keys). Monitor signer activity for any anomalies. All sensitive functions in contracts (minting, withdrawals, upgrades) should have proper access modifiers – no public or owner-only functions left unintentionally callable. Limit who (and which contracts) can call emergency or governance functions to prevent hijacking. Time-lock admin actions so the community can audit and alert if something suspicious is queued.

  • Real-Time Monitoring and Response: Deploy monitoring agents or scripts (consider using tools like Forta or Blocknative) to watch your contracts on-chain. Set up alerts for unusual events: e.g. if someone suddenly borrows 100× the normal amount, or a token price in your protocol deviates drastically from elsewhere. Early detection can enable you to pause the protocol or disable features before an exploit escalates. Have an emergency plan (pause switches, kill-switch for features like faulty oracles) and practice your incident response. In 2024’s climate, projects that reacted fast (freezing markets, etc.) often mitigated damage.

  • Bug Bounties and Community Audits: Embrace the white-hat community. Establish a bug bounty program (via platforms like Immunefi or HackenProof) to incentivize security researchers to report vulnerabilities to you before attackers find them. Many exploits, in hindsight, could have been reported by a skilled outsider for a reward far smaller than the eventual loss. Also consider public testnets or beta periods with restricted funds (a “guarded launch”) to let the community battle-test your contracts in a lower-stakes environment. Being proactive about security can save your project and users from catastrophe.

For Everyday DeFi Users (Protecting Your Funds)

  • Use Secure Wallets and Hygiene: Keep your private keys out of reach of attackers. The best practice is to use a hardware wallet or secure signing device for DeFi interactions, as this keeps your keys offline. Never give out your seed phrase – no legit project will ever ask for it. Be wary of phishing: fake websites or Discord/Telegram scammers may impersonate wallets or DeFi dApps. Always double-check URLs and consider browser wallet extensions that flag known scam sites. Enabling additional protections like password locks and 2FA (for services that support it) adds layers a hacker must get through.

  • Research Before You Trust: Due diligence is your friend in the wild west of DeFi. Before depositing funds, research the project’s background. Is the team known and reputable? Have the contracts been audited by well-known security firms, and can you read the audit report? A quick community scan (Twitter, forums, Discord) can reveal red flags or past issues. If the protocol code is open source, that’s a good sign (it allows the community to inspect it). Conversely, if you can’t determine who’s behind a project and there’s no audit, think twice about risking your money. Also verify you’re using the correct official contracts – scammers sometimes create copycat tokens or front-end websites to dupe users.

  • Diversify and Limit Your Exposure: The old adage “don’t put all your eggs in one basket” applies doubly to DeFi. Even “safe” platforms can suffer unexpected exploits, so never invest more than you can afford to lose. Spread your assets across different protocols and types of products to mitigate any single point of failure. For example, you might keep some funds in a reputable lending protocol, some in a DEX LP, and some simply in cold storage – that way one hack won’t wipe you out. It’s also wise to prefer protocols with insurance funds or opt-in coverage (some platforms offer insurer pools or you can buy cover from services like Nexus Mutual) for extra peace of mind.

  • Stay Alert to Risks (DYOR Continuously): DeFi is dynamic, and new threats or hacks emerge all the time. Make it a habit to stay informed: follow reputable crypto security news outlets or Twitter accounts that report hacks and vulnerabilities. If you hear that a protocol you use has a security issue, act quickly – for instance, if a platform is pausing withdrawals due to a hack, you might want to pull your funds out once it re-opens, until things are resolved. Likewise, be cautious of too-good-to-be-true yields. If some new farm is offering 10,000% APY, it likely comes with enormous risk (often scams target users chasing high yields). Maintaining a healthy skepticism will serve you well.

  • Manage Your Approvals and Permissions: When you use a DeFi dApp, it often asks for permission to spend your tokens (an ERC-20 approval). Review and revoke token allowances periodically using tools like Revoke.cash or Etherscan’s Token Approval Checker. This prevents a situation where a contract you interacted with long ago (or an attacker who takes it over) still has unlimited access to spend your tokens. It only costs a small transaction fee to revoke permissions and can save you from a nasty surprise. As a rule, limit approvals to only the amount needed or use wallets dedicated to certain dApps. For example, you might have a separate wallet for experimental DeFi plays, so that your main funds are never at risk if that new protocol turns out to be malicious.

By following these precautions, users can greatly reduce the likelihood of falling victim to hacks or scams. In DeFi, self-custody = self-responsibility – there’s no bank to call if something goes wrong, so your security practices are the last line of defense.

Conclusion

The period 2024–2025 has shown that as DeFi grows, so do the inventiveness and scope of attacks. From oracle manipulation that can bankrupt a lending pool in minutes, to flash loan-enabled heists and under-the-radar insider abuses, the DeFi ecosystem faces a constant battle to stay one step ahead of adversaries. Yet, the response is also getting stronger: developers are increasingly implementing safeguard mechanisms and comprehensive audits, while users are becoming more educated about risks. The high-profile incidents discussed above provide invaluable lessons. By applying rigorous security-by-design principles, ongoing monitoring, and fostering a vigilant community, DeFi protocols on Ethereum and Layer 2s can significantly harden their defenses. Likewise, everyday investors who practice good wallet security and due diligence can avoid many traps and reduce their exposure.

DeFi will likely never be completely free of risk – complexity and innovation always entail some danger. However, a combination of smart contract security best practices and user prudence can make the difference between an ecosystem plagued by exploits and one that is resilient against major threats. As we move through 2025, the projects that prioritize security (much like those that prioritized decentralization) will set themselves apart. In decentralized finance, protecting your funds is as important as growing them. By staying informed and cautious, we can all help build a safer DeFi ecosystem even as new threats continue to emerge.

Stay safe out there in DeFi!

Back to Blog