Two of the biggest D-Fi feats of the past two months have one thing in common. They used a tool that does not exist on the XRP ledger.
Thorchain lost about $10.8 million in a cross-chain attack on May 15 that wiped out funds in Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a decentralized permanent exchange based on Solana, and KelpDAO, a liquidity recovery protocol on Ethereum, combined to lose more than $600 million through April alone.
Cross-chain bridges have lost more than $2.8 billion in attacks since 2021, per Chainalysis. And a significant portion of these feats use a slightly different version of the same mechanic: flash loans.
A flash loan is a smart contract feature that allows a merchant to borrow millions of dollars without collateral, provided the loan is repaid within the same transaction. Legitimate use cases include inter-exchange arbitrage, collateral swaps without leveraged positions, and liquidation bots that maintain solvency in lending markets.
The style of attack is the same mechanic that is pointed in the wrong direction.
The borrower takes the loan, uses the funds to manipulate an oracle or poorly designed pool, makes a profit from the manipulation, and repays the loan, all before the transaction settles. If any step fails, the entire chain is reversed, so the attacker incurs nothing but gas fees.
The XRP ledger does not allow this to work. A draft amendment filed earlier this week to the XRPL standards repository, which proposed centralized liquidity and StableSwap-style pools for China’s local automated market maker, added a line to its security considerations section: “Flash loan attacks are structurally impossible. XRPL transactions are infeasible without an atom.”
This means that XRPL transactions either succeed completely or fail completely, like Ethereum transactions. But unlike Ethereum, an XRPL transaction cannot call another transaction during its execution. The borrowing manipulation payment sequence that defines a flash loan attack requires at least three nested operations within a single transaction envelope.
It’s a meaningful architectural choice, and it has a price. Flash loans aren’t just an attack tool. They have become a structural component of Ethereum DeFi with Aave, dYdX, and other major protocols offering them as products. Arbitrage traders use flash loans to clear price differences between exchanges in a single transaction.
Liquidation bots use them to keep highly collateralized lending positions solvent. Sophisticated DeFi users use them for collateral swaps that would otherwise require capital tied up for hours. XRPL abandons all of this in exchange for closing the attack class entirely.
For most of XRPL’s history, the trade-off didn’t matter because China’s DeFi footprint was small. He is changing. The total value of real-world assets tokenized on the XRP ledger has exceeded $3 billion, including the Ripple-JPMorgan-Mastercard-Ondo Finance pilot that processed tokenized US Treasury redemptions in less than five seconds.
The draft AMM amendment, if it passes, will close the capital efficiency gap that has held XRPL DeFi behind Ethereum, opening up the chain to a wider set of trading and production strategies.
If the AMM amendment passes and XRPL’s DeFi liquidity moves to something that can deploy institutional capital at scale, the question becomes whether structural exploit resistance is a real competitive advantage or just a feature that institutions ignore in favor of where liquidity already exists.