The two biggest DeFi companies of the past two months have one thing in common. They used a tool that does not exist on the XRP Ledger.
Thorchain lost about $10.8 million on May 15 to a cross-chain attack that drained funds across Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual exchange, and KelpDAO, a floating restaking protocol on Ethereum, combined to account for more than $600 million in losses through April alone.
Cross-chain bridges have lost over $2.8 billion to attacks since 2021, per Chainalysis. And a significant number of these exploits used some variation of the same mechanic: flash loans.
A flash loan is a smart contract feature that lets a trader borrow millions of dollars without collateral on the condition that the loan is repaid within the same transaction. The legitimate use cases include arbitrage between exchanges, collateral swaps without settling positions, and liquidation bots that maintain solvency in the loan markets.
The attack pattern is the same mechanic pointing in the wrong direction.
A borrower takes out the loan, uses the funds to manipulate an oracle or drain a poorly designed pool, profits from the manipulation, and repays the loan, all before the transaction settles. If a step fails, the entire sequence rolls back, leaving the attacker at risk of nothing but gas charges.
XRP Ledger does not allow this to work. A draft amendment submitted to the XRPL standard repository earlier this week, proposing concentrated liquidity and StableSwap-like pools for the chain’s native automated market maker, included a single line in its Security Considerations section: “Flash loan attacks are structurally impossible. XRPL transactions are atomic with no composable intra-transaction calls.”
What this means is that XRPL transactions either fully succeed or completely fail, like an Ethereum transaction. However, unlike Ethereum, an XRPL transaction cannot call another contract during its execution. The loan-manipulate-repay sequence that defines a flash loan attack requires at least three nested operations within a single transaction envelope.
It’s a meaningful architectural choice, and it comes at a cost. Flash loans are not just an attack tool. They have become a structural component of Ethereum DeFi, with Aave, dYdX and other major protocols offering them as a product. Arbitrage traders use flash loans to eliminate price differences between exchanges in a single atomic action.
Liquidation bots use them to keep oversecured loan positions solvent. Sophisticated DeFi users use them for security swaps that would otherwise require capital tied up for hours. XRPL gives all that up in exchange for shutting down the attack class entirely.
For most of XRPL’s history, the trade-off didn’t matter because the chain’s DeFi footprint was small. That is about to change. Real-world tokenized assets on the XRP Ledger have crossed $3 billion in total value, including the Ripple-JPMorgan-Mastercard-Ondo Finance pilot last month that processed a tokenized US Treasury redemption in under five seconds.
The draft AMM amendment, if passed, will close the capital efficiency gap that has kept XRPL DeFi behind Ethereum, opening the chain to a wider set of trading and return strategies.
If the AMM change is passed and XRPL’s DeFi liquidity grows toward something institutional capital can implement at scale, the question becomes whether structural leverage resistance is a real competitive advantage or just a feature that institutions are ignoring in favor of where the liquidity already is.
