Only two actions in a transaction involve user's assets:

1. Deposit margin

2. Withdraw equity

Only deposit action is possible for external funds to enter the system and increase the leverage.

Since one transaction only involves one price index, attackers cannot make profits through one function regardless of the margins they deposit, and their loss in trading fees and (potentially) PCF are certain.

Furthermore, flash-loan attackers cannot earn excessive PCF rewards via extra leverage.

Because if the attackers close a position immediately after receiving PCF rewards, the PCF payment is always higher than the PCF rewards they receive from last transaction (According to the formula of PCF rates $R$, the LDF when opening position is always higher than closing position). This was even before we price in the coast of trading fees.

In short, there's no room for flash-loan attack against Derify protocol.