The 2 greatest DeFi exploits of the previous two months have one factor in widespread. They used a device that doesn’t exist on the XRP Ledger.
Thorchain misplaced roughly $10.8 million on Might 15 to a cross-chain assault that drained funds throughout Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual trade, and KelpDAO, a liquid restaking protocol on Ethereum, collectively accounted for greater than $600 million in losses by April alone.
Cross-chain bridges have misplaced over $2.8 billion to attacks since 2021, per Chainalysis. And a big share of these exploits used some variant of the identical mechanic: flash loans.
A flash loan is a great contract characteristic that lets a dealer borrow millions of {dollars} with no collateral, on the situation that the loan is repaid inside the identical transaction. The authentic use instances embrace arbitrage between exchanges, collateral swaps with out unwinding positions, and liquidation bots that keep solvency in lending markets.
The assault sample is the identical mechanic pointed in the incorrect route.
A borrower takes out the loan, makes use of the funds to control an oracle or drain a poorly designed pool, earnings from the manipulation, and repays the loan, all earlier than the transaction settles. If any step fails, the entire sequence rolls again, so the attacker dangers nothing however gasoline charges.
The XRP Ledger doesn’t let this work. A draft modification filed on the XRPL requirements repository earlier this week, proposing concentrated liquidity and StableSwap-style swimming pools for the chain’s native automated market maker, included a single line in its Safety Concerns part: “Flash loan attacks are structurally unattainable. XRPL transactions are atomic with out composable intra-transaction calls.”
What which means is that XRPL transactions both absolutely succeed or absolutely fail, like an Ethereum transaction. However in contrast to Ethereum, an XRPL transaction can’t name into one other contract throughout its execution. The borrow-manipulate-repay sequence that defines a flash loan assault wants at the very least three nested operations inside a single transaction envelope.
That may be a significant architectural selection, and it has a price. Flash loans are usually not solely an assault device. They’ve grow to be a structural part of Ethereum DeFi, with Aave, dYdX, and different main protocols providing them as a product. Arbitrage merchants use flash loans to clear value variations between exchanges in a single atomic motion.
Liquidation bots use them to maintain over-collateralized lending positions solvent. Subtle DeFi customers use them for collateral swaps that will in any other case require capital that will get tied up for hours. XRPL provides up all of that in trade for closing the assault class completely.
For many of XRPL’s historical past, the tradeoff didn’t matter as a result of the chain’s DeFi footprint was small. That’s altering. Tokenized real-world belongings on the XRP Ledger have crossed $3 billion in whole worth, together with the Ripple-JPMorgan-Mastercard-Ondo Finance pilot final month that processed a tokenized U.S. Treasury redemption in beneath 5 seconds.
The draft AMM modification, if it passes, would shut the capital-efficiency hole that has held XRPL DeFi behind Ethereum, opening the chain to a wider set of buying and selling and yield methods.
If the AMM modification passes and XRPL’s DeFi liquidity grows towards one thing institutional capital can deploy at scale, the query turns into whether or not structural exploit resistance is an actual aggressive benefit or only a characteristic that establishments ignore in favor of the place the liquidity already is.
