A potential exploit in the decentralized financedecentralized finance (DeFi) ecosystem has been exposed and it won’t be fixed until noon on Friday. The reveal comes just days after two exploits used DeFi tools to take home $1 million.
Dominik Harz, a PhD candidate at Imperial College London, has posted a Medium post detailing the potential weakness. It’s focused on the concept of flash loans and the stablecoin Dai. While he has notified Maker—which runs Dai—the issue won’t go up for a vote until tomorrow. And in the meantime, $700 million is at risk.
A trader has again exploited a number of decentralized finance (DeFi) tools, to take home a large amount of Ethereum (ETH). After netting $350,000 on Valentine’s Day, he or she has now taken a further $645,000—a total just shy of a million dollars.
The theft happened in the same way. A clever set of instructions—all executed in one big transaction—enabled the trader to leverage current weaknesses in the DeFi ecosystem for their own gain. By using several decentralized financial tools, and a smal...
“That attacker would be able to steal $700m worth of ETH collateral and be able to print new Dai at will,” Harz wrote. “This attack would spread throughout the whole DeFi space as Dai is used as backing collateral in other protocols.”
What is a flash loan?
A flash loan is a new—and risky—concept in DeFi. It’s essentially the act of lending out money, without asking for anything held as collateral in case the loan is defaulted upon. The only reason that they exist is that the loan gets paid back, in the same transaction. This is possible because on Ethereum—the blockchain platform in question—transactions can be made up of multiple components.
Can an attacker use flash loans to attack @MakerDAO? Find out!
We quantify the required MKR and show that an attacker can increase his chances by: - combining loans from @dydxprotocol and @AaveAave to increase liquidity - oracle tampering on DEXshttps://t.co/CxzpUnUPCy
So, in the case of the first DeFi exploit the other day, the trader made one big transaction that triggered a bunch of actions across various DeFi protocols. Within the transaction, they made a flash loan, used the money for nefarious goals, profited $350 million, and returned the loan. The lender is safe because they know that—due to the power of the blockchain—if the money doesn’t come back, the transaction is (kind of) reversed so it never happened in the first place. Either way, they keep their money.
The $700 million attack vector
Now, here’s how Harz argues that flash loans could be used to exploit Maker.
MakerDAO is a decentralized governance system that runs the Dai stablecoin. Holders of the governance token MKR vote on how Dai should be programmed. But it’s possible to exploit the governance system.
“The basic idea is to accumulate enough MKR tokens to replace the existing governance contract with the attacker’s, malicious, governance contract,” Harz said. “The malicious governance contract is then able to give the attacker full control over the system and withdraw any collateral in the system as well as create arbitrary amounts of new Dai.”
However, when this attack vector was suggested before, the idea was to crowdfund the MKR tokens needed to carry it out. And that’s where flash loans come in. They make it much easier for an attacker to build up a large supply of MKR tokens—and use them to take over the system.
Not only can they use a flash loan to buy a large amount of MKR, but they can also use flash loans to manipulate the price of MKR—in the same way as the recent DeFi attacks. With a cheaper MKR price, it becomes much easier to snap up more coins.
Harz said that this strategy could be used in combination with a crowdsourcing strategy for maximum effect at a low cost. Maker is set to vote on a solution to stop flash loans from affecting the governance mechanism tomorrow—but the clock is ticking.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Telegram’s native crypto wallet is beginning its roll out for U.S. residents, allowing them to buy, sell, and send cryptocurrencies directly within the messaging app.
Built by The Open Network (TON) ecosystem developer The Open Platform—which was recently valued at $1 billion following its latest funding round—the TON Wallet is a self-custody wallet that first launched for international users back in September 2023.
"The timing of our U.S. launch was guided by product scaling readiness and mark...
Amazon’s Ring cameras went viral, and for all the wrong reasons, as users flooded TikTok, Reddit, and X with reports of suspicious logins to their accounts.
Screenshots posted online showed unknown devices accessing user accounts, fueling concerns about a potential breach in Amazon’s home security network. All of the mysterious breaches occurred on May 28, 2025.
Ring denied that a hack had taken place, and in a status update, blamed the issue on a backend update.
“We are aware of an issue where...
Coinbase unveiled its new mobile app, Base—a rebrand and expansion of the company’s Coinbase Wallet during a standing-room-only event in Los Angeles on Wednesday.
The crypto faithful packed the venue to witness the reveal of the app, which had gone live earlier that day.
Billed as an “everything app” for the on-chain economy, Base aims to go beyond simple transactions, giving users the tools to create, earn, message, game, and interact with AI, all within a single platform.
“We’re going from a s...