The two biggest DeFi exploits of the past two months have one thing in common. They used a tool that does not exist on the XRP Ledger.
Thorchain lost roughly $10.8 million on May 15 to a cross-chain attack that drained funds across Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual exchange, and KelpDAO, a liquid restaking protocol on Ethereum, together accounted for more than $600 million in losses through April alone.
Cross-chain bridges have lost over $2.8 billion to attacks since 2021, per Chainalysis. And a significant share of these exploits used some variant of the same mechanic: flash loans.
A flash loan is a smart contract feature that lets a trader borrow millions of dollars with no collateral, on the condition that the loan is repaid inside the same transaction. The legitimate use cases include arbitrage between exchanges, collateral swaps without unwinding positions, and liquidation bots that maintain solvency in lending markets.
The attack pattern is the same mechanic pointed in the wrong direction.
A borrower takes out the loan, uses the funds to manipulate an oracle or drain a poorly designed pool, profits from the manipulation, and repays the loan, all before the transaction settles. If any step fails, the whole sequence rolls back, so the attacker risks nothing but gas fees.
The XRP Ledger does not let this work. A draft amendment filed on the XRPL standards repository earlier this week, proposing concentrated liquidity and StableSwap-style pools for the chain’s native automated market maker, included a single line in its Security Considerations section: “Flash loan attacks are structurally impossible. XRPL transactions are atomic without composable intra-transaction calls.”
What that means is that XRPL transactions either fully succeed or fully fail, like an Ethereum transaction. But unlike Ethereum, an XRPL transaction cannot call into another contract during its execution. The borrow-manipulate-repay sequence that defines a flash loan attack needs at least three nested operations inside a single transaction envelope.
That is a meaningful architectural choice, and it has a cost. Flash loans are not only an attack tool. They have become a structural component of Ethereum DeFi, with Aave, dYdX, and other major protocols offering them as a product. Arbitrage traders use flash loans to clear price differences between exchanges in a single atomic action.
Liquidation bots use them to keep over-collateralized lending positions solvent. Sophisticated DeFi users use them for collateral swaps that would otherwise require capital that gets tied up for hours. XRPL gives up all of that in exchange for closing the attack class entirely.
For most of XRPL’s history, the tradeoff did not matter because the chain’s DeFi footprint was small. That is changing. Tokenized real-world assets on the XRP Ledger have crossed $3 billion in total value, including the Ripple-JPMorgan-Mastercard-Ondo Finance pilot last month that processed a tokenized U.S. Treasury redemption in under five seconds.
The draft AMM amendment, if it passes, would close the capital-efficiency gap that has held XRPL DeFi behind Ethereum, opening the chain to a wider set of trading and yield strategies.
If the AMM amendment passes and XRPL’s DeFi liquidity grows toward something institutional capital can deploy at scale, the question becomes whether structural exploit resistance is a real competitive advantage or just a feature that institutions ignore in favor of where the liquidity already is.
