Flash loan attacks are when malicious actors exploit a smart contract.
Flash loan attacks are decentralized finance (DeFi) exploits where a smart contract designated to support the provision of flash loans is attacked in order to siphon assets stored in any particular pool. In such attacks, the malicious actor opens a loan, uses that borrowed capital to purchase other assets with arbitrage and quickly pays their loan back, taking the assets left with them throughout the whole process as their profit.
It is important to understand that this exposure can only happen within DeFi protocols since they are permissionless and entirely run by smart contracts. While disintermediation provides a lot of benefits like cost savings and censorship resistance, having no third party overseeing the provision of uncollateralized loans provided through flash loan contracts make DeFi platforms susceptible to such attacks.
This type of malicious activity is actually complex and difficult to pull off, yet somehow there are many cases where cybercriminals have succeeded in this endeavor.
Most flash loan attacks involve using borrowed capital to arbitrage assets from other DeFi protocols. For instance, in the bZx protocol attack, the hacker took out a loan from a contract and immediately converted it into stablecoins. But since smart contracts only function based on the data fed to them, they can be vulnerable to some exploits. The attacker took advantage of that by manipulating the price of the stablecoin, sUSD, by placing a large buy order on it, which helped drive the price of the stablecoin to twice the value it was supposed to be. From there, he took out a bigger loan using the sUSD he swapped as collateral. Then, he repaid all these loans and took away the remaining assets with him as profit.