A draft XRPL amendment proposes changes that make flash loan attacks structurally impossible on the XRP Ledger. The change is highlighted amid high-profile DeFi losses: Thorchain lost roughly $10.8 million on May 15 to a cross-chain attack that drained funds across Bitcoin, Ethereum, BSC, and Base. Drift Protocol and KelpDAO together accounted for more than $600 million in losses through April, and cross-chain bridges have lost over $2.8 billion to attacks since 2021.
A flash loan is a smart contract feature that lets a trader borrow funds with no collateral on the condition that the loan is repaid inside the same transaction. The typical attack pattern uses a single-transaction sequence: borrow funds, manipulate an oracle or drain a liquidity pool, extract profit, and then repay the borrowed funds within that same transaction. If any step in that sequence fails, the entire transaction rolls back and the loan is not issued. Flash loans therefore rely on composable, intra-transaction calls between smart contracts to execute all steps atomically.
On the XRP Ledger, transactions are atomic and cannot call into another contract during execution, which removes the composable intra-transaction interactions that flash loans depend on. A draft XRPL amendment proposes concentrated liquidity and StableSwap-style pools for the native automated market maker while preserving transaction atomicity. According to that amendment, flash loan attacks are structurally impossible on the XRPL because the execution model prevents the multi-step, intra-transaction sequences used in flash loan exploits. The XRPL approach therefore forgoes flash loan functionality as a trade-off to close this class of attack.
This design choice prioritizes closing the flash-loan attack vector over supporting flash-loan-enabled use cases. The amendment frames the trade-off between enabling certain DeFi primitives and eliminating a structural exploitation path.
Flash loans have become a structural component of Ethereum DeFi, and major lending platforms such as Aave and dYdX offer them as products. These unsecured, intra-transaction loans let users access large capital for complex, single-transaction strategies. In practice, protocols and traders use flash loans for arbitrage, rapid collateral swaps, and other opportunistic DeFi actions. The availability of flash loans across Ethereum ecosystems underpins many composable financial flows.
By contrast, the XRP Ledger’s security model disallows the composable intra-transaction interactions that enable flash loans. Flash loan attacks are structurally impossible. XRPL transactions are atomic without composable intra-transaction calls. A draft XRPL amendment proposes concentrated liquidity and StableSwap-style pools for the native automated market maker while preserving atomic transaction execution. That execution model prevents the multi-step borrow-manipulate-profit-repay sequences that characterize flash loan exploits.
This approach eliminates the flash-loan attack class on XRPL but also means the ledger forgoes flash-loan-enabled functions. That trade-off prioritizes structural safety over certain DeFi primitives dependent on flash loans.
The XRP Ledger uses an atomic transaction model that prevents transactions from calling into other contracts during execution, which blocks the composable intra-transaction sequences required for flash loan exploits. A draft XRPL amendment says flash loan attacks are structurally impossible on the ledger and notes that the design sacrifices flash-loan functionality to close this class of attack. This design choice focuses on the technical security benefit of preventing a multi-step, intra-transaction attack pattern common in other DeFi ecosystems.
