Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 4 of 8
~22 minDeFi Safety Course

Lesson 4 — The exploit catalogue: reentrancy, flash-loan price manipulation, governance attacks

Most DeFi losses cluster into a small set of repeating exploit classes. Today: the four most-common with named case studies.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

If you read every DeFi post-mortem of the past five years, you'll find the same handful of exploit classes appearing repeatedly. New protocols, new chains, new branding — same underlying patterns. Recognizing these patterns is the most leveraged thing this course can teach: once you can see the family, you can ask whether the protocol in front of you is exposed to it before the exploit happens.

**Class 1: Reentrancy.** The canonical bug class, first famously exploited in the 2016 DAO hack ($60M at the time). The pattern: contract A calls contract B (often as part of a withdrawal). Contract B can re-enter contract A before A has updated its internal state. The attacker structures B so that re-entry repeatedly invokes A's withdrawal logic, each time against the original (un-updated) balance. The defensive pattern is checks-effects-interactions: validate the call, update state, then perform any external interaction. OpenZeppelin's ReentrancyGuard modifier wraps functions with a mutex preventing nested calls. Despite being well-understood since 2016, reentrancy variants continue to cause losses: read-only reentrancy (where the attacker exploits a view function that returns stale state during a callback) hit Curve's Vyper-compiled pools in July 2023 ($73M across multiple pools), and cross-function reentrancy hit Cream Finance in October 2021 ($130M). The class isn't dead; it just keeps finding new surface.

**Class 2: Flash-loan price manipulation.** A flash loan lets anyone borrow unlimited capital within a single transaction, as long as the loan is repaid before the transaction ends. Attackers use flash loans to temporarily move on-chain prices by trading enormous size, then exploit any protocol that prices off the manipulated market. The bZx attacks (February 2020, two separate exploits totalling ~$1M) were the first prominent examples. Mango Markets (October 2022, $117M) followed: the attacker flash-loaned funds, used them to pump MNGO's spot price on Mango itself, then borrowed against the inflated collateral and walked away. The Beanstalk attack (April 2022, $182M) was a governance variant: flash-loan enough BEAN governance tokens to push an emergency proposal in a single transaction. The defensive pattern is using oracles resistant to short-term manipulation (TWAPs, Chainlink) and never pricing critical operations off a single AMM's spot price.

**Class 3: Oracle manipulation.** Sometimes a subset of flash-loan attacks, sometimes standalone. Any protocol that uses an oracle for valuations (lending markets, derivatives, options) is vulnerable if the oracle can be manipulated. The Inverse Finance attack (April 2022, $15.6M) used a thinly-traded INV/ETH Sushiswap pool as the oracle; the attacker bought INV with a small position, pushed the price up 250 percent, borrowed against the inflated INV collateral on Anchor, and walked away. The Cream Finance ICHI exploit (October 2021, $30M+) was similar: ICHI's oracle priced off an AMM the attacker could manipulate. Lesson 5 covers oracle design in detail. The takeaway here: every protocol that uses 'this token's price' for any consequential operation is exposed to oracle risk; the variance is just how robust the oracle is.

**Class 4: Governance attacks.** Less common than reentrancy or flash-loan attacks but typically catastrophic when they succeed. The pattern: an attacker accumulates enough governance-token voting power (sometimes via flash loan, sometimes through stealth purchases over time) to pass a malicious proposal. The Beanstalk attack is the canonical example — a flash loan provided the votes in a single transaction. Other examples: the Compound governance proposal #62 misfire in October 2021 (not malicious, but distributed $90M+ of COMP to users in error due to a bug); the Tornado Cash governance takeover in May 2023 (an attacker passed a malicious proposal that drained governance tokens). Defenses: minimum voting periods that exceed flash-loan duration, voting-power timelocks (tokens must be held for some duration before they confer voting rights), emergency-veto multisigs, and quadratic voting (which makes accumulating voting power much more expensive).

**A fifth class worth knowing: bridge exploits.** We give them a separate lesson (Lesson 6) because they have their own structural character — the bridge is a single fat target holding pooled assets, and the exploit vectors range from signature-verification bugs (Wormhole) to validator-set compromises (Ronin) to admin-key theft (Multichain). Together with the four above, these five classes account for the substantial majority of all DeFi losses by dollar value over the 2020–2025 period.

**Pattern recognition vs perfect prediction.** Knowing the classes doesn't let you predict which specific protocol will be exploited next. It does let you ask, for any protocol you're evaluating, the specific questions for each class: Is reentrancy guarded? What oracle does this use, and can it be manipulated by flash loan? Can governance be captured in a single transaction? These questions cost almost nothing to ask and have prevented many users from being caught in exploits they could have foreseen.

Example

Walk through the Beanstalk attack in detail. April 17, 2022. The attacker: (1) Borrowed ~$1B in flash loans from Aave and other protocols. (2) Used the borrowed funds to acquire 67 percent of the Beanstalk governance token supply within a single transaction. (3) Submitted and voted in favour of an 'emergency commit' governance proposal that transferred the protocol's $182M treasury (mostly stablecoins) to an address the attacker controlled. (4) Repaid the flash loans, profit-took the treasury. (5) Walked away with ~$76M net (after some funds went to flash-loan fees and arbitrage friction). Total elapsed time: one Ethereum block (~13 seconds). The structural lesson: any governance system whose voting weight is the current snapshot of token holdings, with no minimum holding period, is vulnerable to this attack. The fix Beanstalk and other protocols subsequently adopted: voting rights conferred only on tokens held for a minimum duration (typically days), making flash-loan governance impossible.

Common mistakes

  • Treating reentrancy as solved. Read-only reentrancy and cross-function reentrancy continue to find new code surface.
  • Underestimating flash loans. They are infrastructure, not an exotic attack vector — every major lending protocol offers them, and most major exploits use them.
  • Believing that 'governance' is inherently safer than 'admin keys.' A governance system without holding-period gates is sometimes easier to attack than a multisig.
  • Conflating 'audit clean' with 'exploit-proof.' Audits rarely catch economic exploits. The exploit classes here are economic, not code-correctness, in nature.
  • Treating each new exploit as fundamentally new. The branding evolves; the underlying pattern usually doesn't.

Check your understanding

A new DeFi lending protocol uses the current spot price from a Uniswap V2 pool with $50,000 of liquidity to value its collateral assets for liquidation purposes. Which exploit class is this protocol most directly exposed to?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper