Liquidity Exhaustion Attacks
- Liquidity Exhaustion Attacks are adversarial strategies that temporarily deplete or immobilize a system’s liquid assets, causing operational disruptions and economic imbalances.
- They exploit timing mismatches and structural vulnerabilities—such as flash loans, slow fragmentation, and valuation distortion—to undermine governance, liquidity pools, and market dynamics.
- Effective mitigations include design changes like time-weighted snapshots, trade-size limits, and LP token locking to prevent short-lived concentration of liquid resources.
Liquidity exhaustion attacks are adversarial strategies that deplete, immobilize, or transiently monopolize the effective liquidity required for a system to function, leaving the target undercapitalized, illiquid, or unable to honor normal operations. In decentralized finance, this includes flash-loan governance takeovers, gradual liquidity drains, oracle-driven over-borrowing, and forced-liquidation cascades; in payment-channel and bridge systems, it includes draining or locking routing and solver liquidity through timing and settlement asymmetries; in market microstructure and shared systems, it appears as depletion of order-book depth or exhaustion of shared processing state and pipeline capacity. Across these settings, the common structure is a mismatch between the time scale on which liquidity can be withdrawn, borrowed, or concentrated and the slower assumptions embedded in governance, settlement, liquidation, or scheduling logic (Wang et al., 1 May 2025).
1. Conceptual scope and common structure
The term denotes a family of attacks in which an adversary obtains control over scarce liquidity, reserve capacity, or redeemable state long enough to force a transfer of value or deny service. In a DAO governance context, the pattern is “temporarily concentrating liquidity or voting power into a single actor or pool,” “exhausting (draining) a treasury or reserve during that window,” and “returning the borrowed liquidity afterwards, leaving the rest of the system undercapitalized” (Wang et al., 1 May 2025). In dynamic AMMs, the closely related objective is to drive the pool “to a highly imbalanced state or near-depletion of one asset, so that further trades suffer extreme slippage or become practically impossible,” with inter-block weight changes acting as an amplifier for reserve manipulation (Willetts et al., 2024). In order-driven markets, the relevant notion is a “liquidity crisis” in which visible depth or dynamic replenishment fails, producing large price moves because “the market does not feed enough LOs to absorb the surge in MOs” or because one side of the book is “statically depleted and gappy” (Corradi et al., 2015).
A broader interpretation emerges when the same logic is applied to systems whose “liquidity” is not a spot-market reserve but rather redeemable channel balance, solver capital, cache state, or execution capacity. Lightning time-dilation attacks steal “the entire channel capacity or the maximum in-flight HTLC liquidity” by making honest parties miss timelock windows (Riard et al., 2020). Intent-based bridges can be disrupted by “sequences of adversarial intents designed to temporarily drain solver liquidity so that solvers cannot bid on or fulfill subsequent intents,” converting capital lockup into an economic denial of service (Augusto et al., 19 Feb 2026). RDMA resource-exhaustion attacks similarly “drain or congest scarce, shared RDMA NIC state and pipeline capacity so that co-located containers are starved,” which is a plausible cross-domain analogue of liquidity exhaustion at the microarchitectural level (Kim et al., 14 Oct 2025). This suggests that the concept is best understood as a family of temporal and structural attacks on redeemability, market depth, or allocable capacity rather than a phenomenon confined to any single protocol stack.
2. Core mechanisms and attack taxonomy
A recurring mechanism is temporary concentration. Flash loans are “uncollateralized” and “atomic,” allowing an attacker to borrow arbitrary assets, use them “as if they were their own,” and return them before the block ends. In governance, if voting power satisfies and an attacker can borrow , then “for at least one block, the attacker controls the majority of ” (Wang et al., 1 May 2025). In dynamic AMMs, a pre-update reserve manipulation can be amplified by a deterministic inter-block weight change, producing a “supercharged” arbitrage opportunity and pushing the pool toward “high slippage / near-depletion” regions (Willetts et al., 2024).
A second mechanism is slow fragmentation. Slow liquidity drain (SLID) scams do not remove liquidity in one rug-pull event; instead, the owner “retains full control over liquidity and token supply and drains value via many small profit-taking actions over an extended period,” while keeping the pool apparently active (Tran et al., 6 Mar 2025). Fragmented rug pulls generalize this further by splitting extraction across both time and actor dimensions: attackers “chop thin slices” so that each sell stays below impact thresholds and “pass the ladle” so that inflated selling is distributed across multiple wallets, often non-owner addresses (Tran et al., 19 Nov 2025). In both cases, the economic effect is the same as a classic liquidity drain, but detectability is reduced because no single transaction looks catastrophic.
A third mechanism is valuation distortion. In the Cream Finance example, a flash loan of “\$500M DAI” was used through Yearn vaults and Curve pools to manipulate the price oracle, temporarily inflating collateral and enabling the withdrawal of “~\$130M” from the lending protocol before the flash loan was repaid (Wang et al., 1 May 2025). A related but structurally different mechanism appears in toxic liquidation spirals: once a user’s exceeds , any liquidation satisfies , so forced deleveraging itself worsens solvency and consumes market liquidity in a self-reinforcing way (Warmuz et al., 2022).
A fourth mechanism is liquidity lock-up rather than outright drain. Lightning “zombie attacks” force honest users to close channels on-chain under congestion, freezing funds for “up to ~8000 blocks” in the high-congestion scenario, while time-dilation attacks allow adversaries to steal or lock “all available liquidity” by making victims react too late to on-chain events (Sguanci et al., 2022). In intent-based bridges, liquidity exhaustion similarly relies on refund latency: solvers front capital immediately and recover it only after settlement, so flooding them with adversarial intents can suppress availability without any contract exploit (Augusto et al., 19 Feb 2026). A plausible implication is that the distinction between theft and denial of service is secondary: both are often realized through the same temporary capture of scarce liquid capacity.
3. DeFi, DAO, and AMM manifestations
In DAO governance, the canonical example is Beanstalk. The protocol used off-chain snapshot-based voting together with an on-chain emergencyCommit path that required a “66% LP token threshold” after a “24-hour wait period.” The attacker submitted a malicious proposal pointing to a CREATE2 address, then used a flash loan of “~\$1B” equivalent in LP tokens and “temporarily amassed 80 percent of Beanstalk’s voting power,” allowing the proposal to transfer “\$182M” from the protocol and repay the loan in the same transaction (Wang et al., 1 May 2025). UPCX illustrates a different but related pattern: “68% of protocol-owned liquidity” was concentrated in three admin wallets, one compromised wallet had all upgrade permissions, and withdrawByAdmin was modified to bypass the “seven-day withdrawal delay,” enabling a withdrawal of “18.4M UPC tokens (2.36% of supply)” in one transaction (Wang et al., 1 May 2025). These cases differ in primitive, but both hinge on temporal asymmetry between protection logic and actual control over liquid resources.
At the AMM and pool level, slow drains and fragmented exits dominate. The SLID study examined “319,166 liquidity pools across six major decentralized exchanges,” identified “3,117 SLID affected liquidity pools,” and measured “cumulative losses of more than US\$103 million,” with “167,632 victims” across all SLID pools (Tran et al., 6 Mar 2025). The owner’s no-loss guarantee in constant-product pools is central: if the owner monopolizes the paired-token supply at genesis and does not burn LP tokens, the base-token position “cannot fall below the initial deposit.” This makes repeated probing and profit-taking economically attractive. Fragmented rug pulls reveal how this model has evolved operationally. In a dataset of “303,614 LPs,” the FRP study labeled “105,434” pools as fragmented rug pulls, involving “34,192,767 pool-related transactions” and “401,838 inflated-seller wallets,” while owner-wallet participation in inflated selling had fallen to “33.1% of cases” (Tran et al., 19 Nov 2025). This shifts the attack surface from visible owner exits to coordinated, low-visibility campaigns.
Dynamic AMMs introduce a different liquidity-exhaustion vector through deterministic parameter changes. In temporal-function market makers and related dynamic-weight pools, a known inter-block weight change behaves like an implicit trade. An attacker who controls the last transaction in block and the first in block can manipulate reserves before the weight update and then arbitrage the post-update mispricing. The paper derives guardrails based on trade-size limits, minimum weights, and bounds on per-block weight change, and tests them over “~450 million potential attack scenarios” (Willetts et al., 2024). This demonstrates that liquidity exhaustion need not involve a single exploit or governance path; deterministic reweighting alone can create extractable reserve-depletion trajectories unless weight motion and trade size are explicitly constrained.
4. Payment channels, bridges, and cross-layer capital exhaustion
Lightning Network attacks show how liquidity exhaustion can occur through timing rather than reserve theft. Time-dilation attacks rely on eclipsing a node’s Bitcoin backend and delaying block delivery so that the victim’s local height lags the real chain by the relevant timelock window. In the most practical variant, “A3 – Packet finalization,” a node can be robbed after being eclipsed for “as little as ~2 hours” with a Bitcoin Core backend, or “1–1.9h” with Neutrino, and the attacker can steal the HTLC amount up to the channel’s maximum in-flight value (Riard et al., 2020). Mass exit attacks demonstrate the same dependence on base-layer timing under congestion. With a coalition as small as “0,” the authors show that the coalition can affect “20,084 channels” and “1,685 BTC” worth of channels across the cut, creating either a “zombie attack” that locks funds or a mass double-spend attack that can yield “expected profit > 750 BTC” under the modeled high-congestion scenario (Sguanci et al., 2022). In both papers, the scarce resource is not a treasury but redeemable channel balance and the ability to confirm defensive transactions in time.
Intent-based bridges introduce a capital-market version of the same structure. Solvers front their own liquidity to fill intents immediately and are repaid later, so liquidity is tied up over the settlement interval. The bridge study analyzes “3.5 million cross-chain intents” moving “\$L \gg \sum_{d \neq d_{\mathrm{adv}}} t_d978 roughly every 16 minutes” (Augusto et al., 19 Feb 2026). The optimized targeted strategy reduces attack costs “by up to 90.5% compared to the baseline,” showing that liquidity exhaustion can be made materially cheaper by exploiting solver participation patterns (Augusto et al., 19 Feb 2026).
A related cross-layer phenomenon appears in liquid staking. The paper finds that pool APR is positively associated with subsequent normalized LST returns and then constructs a consensus-to-DeFi attack: a low-stake adversary manipulates leader election and fork choice to degrade a target pool’s performance, then monetizes the expected LST repricing through leveraged shorts (Yang et al., 1 May 2026). The learned strategies can reduce a target’s block allocation by more than “16%” in the calibrated case, corresponding to an “APR-equivalent degradation” of roughly “4%,” and Monte Carlo analysis shows that such attacks can be profitable with “over one-half probability for LSTs of major staking pools” (Yang et al., 1 May 2026). This suggests that liquidity exhaustion can also be induced indirectly: a performance shock can trigger repricing, liquidations, and reserve imbalance in downstream DeFi, even if the adversary never directly drains a pool at the execution layer.
5. Detection, formalization, and empirical characterization
Detection approaches depend on whether the attack is fast, slow, or structurally latent. In DeFi pools, SLID is characterized by three validators: a honeypot filter, a profit validator, and an owner-activity validator requiring that the owner has “did not burn LP tokens,” “2,” “3,” and at least “4” profit-taking orders with each order impact below “5” (Tran et al., 6 Mar 2025). Because that heuristic needs long histories, the paper trains Random Forest, XGBoost, and Logistic Regression models on 57 features. The best detector, Random Forest, reaches “≈95% accuracy” with only “6 days” of history, versus “267–268” days for the heuristic, yielding a “4.77×” speedup (Tran et al., 6 Mar 2025). FRP detection shifts the focus from single owner exits to predicate combinations involving LP control, low-impact sells, and non-owner execution, with attack behavior parameterized by the number of seller wallets, per-wallet sell count, and per-order volume (Tran et al., 19 Nov 2025).
Governance-side defenses are also increasingly formalized. The time-weighted snapshot framework models each address 7 with a token balance vector 8 and assigns voting power by
9
Aggregate approval and disapproval weights are
0
and the decision function is
1
This framework makes short-lived balances contribute little or no voting power, thereby penalizing flash-loan-based liquidity concentration while exposing an explicit security–liquidity trade-off (Wang et al., 1 May 2025).
At a more foundational level, formal verification work treats liquidity exhaustion as a liveness property. In BitML, a contract is liquid if, for every reachable descendant contract, there exists a sequence of actions under the honest participant’s control that eliminates that contract and its descendants. The verification pipeline transforms the infinite-state semantics of recursive Bitcoin contracts into a finite-state abstraction, proves that “if the abstracted contract is liquid, then also the concrete one is such,” and then checks liquidity by model-checking the finite-state abstraction (Bartoletti et al., 2020). This formal notion differs from empirical DeFi heuristics, but it captures the same endpoint: funds can be present on-chain yet permanently frozen, which is a terminal form of liquidity exhaustion.
6. Mitigations and design principles
Mitigations converge on the need to make time, reserve depth, and privileged control first-class security parameters. In DAO governance, the time-weighted snapshot framework explicitly tunes the weight vector 2: a security-oriented setting places “more weight in the older blocks and less weight in the new blocks,” raising the cost of flash-loan and oracle manipulation because “attackers have to spend more to deliver the attacks, since they have to make the effect of oracle manipulation last longer” (Wang et al., 1 May 2025). In dynamic AMMs, the proposed guardrails are trade-size caps, minimum weights, and bounded per-block weight changes; the simulations show that many parameter regions become non-attackable when these limits are enforced (Willetts et al., 2024).
For pool-level scams, the strongest common recommendation is to remove unilateral liquidity control. In SLID, “unburned/unlocked LP tokens are red flags,” and the paper recommends DEX-level monitoring that combines LP token status, owner profit trajectories, and owner-activity patterns (Tran et al., 6 Mar 2025). In FRP, the invariant that remains economically necessary is LP control: if the deployer forfeits LP control, “maximal extraction is impossible,” so defenses should emphasize verifiable LP locking or burning and expose real-time “owner concentration & control” metrics to users (Tran et al., 19 Nov 2025). These defenses do not eliminate economic manipulation, but they remove the most important structural precondition for sustained liquidity drains.
In liquidation systems, the central lesson is that forced-liquidation logic must remain stabilizing under stress. Toxic liquidation spirals emerge when
3
so that any liquidation at 4 worsens solvency. The proposed remedies are to halt liquidations once the position crosses that frontier and to replace static parameters with a dynamic liquidation incentive
5
together with a dynamic closing factor 6, thereby preventing liquidations from becoming mechanically toxic (Warmuz et al., 2022). In Lightning and bridge systems, the analogous principle is to treat challenge periods, refund times, and mempool responsiveness as security parameters rather than operational details. The Lightning studies therefore emphasize anti-eclipse measures, watchtowers, aggressive fee bumping, and topology-aware design (Riard et al., 2020), while the bridge study recommends liquidity-aware throttling, faster or conditional refunds, automated solver rebalancing, and liquidity-sensitive fee adjustment (Augusto et al., 19 Feb 2026).
A general synthesis across the literature is that liquidity exhaustion attacks become feasible whenever systems assume gradual adjustment but permit instantaneous borrowing, deterministic parameter changes, delayed settlement, or concentrated admin control. This suggests that robust design requires not only more liquidity, but also mechanisms that prevent short-lived or privileged access from being treated as equivalent to durable ownership or durable market depth.