The two biggest DeFi exploits of the past two months have one thing in common. They used a tool that doesn’t exist on the $XRP General ledger.
Thorchain lost approximately $10.8 million on May 15 due to a cross-chain attack that drained funds from Bitcoin, Ethereum, BSC and Base. Drift Protocol, a Solana-based decentralized perpetual exchange, and KelpDAO, a cash withdrawal protocol on Ethereum, were jointly responsible for more than $600 million in losses in April alone.
According to Chainalysis, cross-chain bridges have lost more than $2.8 billion to attacks since 2021. And a significant portion of these exploits used a variation of the same mechanism: flash loans.
A flash loan is a smart contract feature that allows a trader to borrow millions of dollars without collateral, provided the loan is repaid within the same transaction. The legitimate use cases include arbitrage between exchanges, collateral swaps without unwinding positions, and liquidation bots that maintain solvency in the credit markets.
The attack pattern is the same mechanic pointing in the wrong direction.
A borrower takes out the loan, uses the money to manipulate an oracle or drain a poorly designed swimming pool, profits from the manipulation and pays back the loan, all before the transaction is completed. If a step fails, the entire sequence is rolled back, so the attacker risks nothing but gas costs.
The $XRP Ledger doesn’t make this work. A draft change submitted earlier this week to the
What that means is that XRPL transactions either completely succeed or completely fail, like an Ethereum transaction. But unlike Ethereum, an XRPL transaction cannot invoke another contract during its execution. The borrow-manipulate-repay sequence that defines a flash loan attack requires at least three nested operations within a single transaction envelope.
That’s a sensible architectural choice, and it comes at a cost. Flash loans are not just a tool of attack. They have become a structural part of Ethereum DeFi, with Aave, dYdX and other major protocols offering them as products. Arbitrage traders use flash loans to clear up price gaps between exchanges in a single atomic action.
Liquidation bots use them to keep over-collateralized credit positions solvent. Advanced DeFi users use them for collateral swaps that would otherwise require capital tied up for hours. XRPL gives up all that in exchange for closing the attack class completely.
For most of XRPL’s history, the tradeoff didn’t matter because the chain’s DeFi footprint was small. That is changing. Tokenized real-world assets on the $XRP Ledger has surpassed a total valuation of $3 billion, including last month’s Ripple-JPMorgan-Mastercard-Ondo Finance pilot, which processed a tokenized redemption of US Treasuries in less than five seconds.
If passed, the AMM draft amendment would close the capital efficiency gap that has held XRPL DeFi behind Ethereum, opening up the chain to a broader range of trading and returns strategies.
If the AMM Amendment is passed and XRPL’s DeFi liquidity grows toward something that institutional capital can deploy at scale, the question becomes whether structural exploitation resistance is a true competitive advantage or just a feature that institutions ignore in favor of where liquidity already is.