The 2 largest DeFi exploits of the previous two months have one factor in widespread. They used a instrument that doesn’t exist on the XRP Ledger.
Thorchain misplaced roughly $10.8 million on Might 15 to a cross-chain assault that drained funds throughout Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual change, and KelpDAO, a liquid restaking protocol on Ethereum, collectively accounted for greater than $600 million in losses via April alone.
Cross-chain bridges have misplaced over $2.8 billion to assaults since 2021, per Chainalysis. And a big share of those exploits used some variant of the identical mechanic: flash loans.
A flash mortgage is a brilliant contract function that lets a dealer borrow hundreds of thousands of {dollars} with no collateral, on the situation that the mortgage is repaid inside the identical transaction. The legit use circumstances embrace arbitrage between exchanges, collateral swaps with out unwinding positions, and liquidation bots that preserve solvency in lending markets.
The assault sample is identical mechanic pointed within the incorrect course.
A borrower takes out the mortgage, makes use of the funds to control an oracle or drain a poorly designed pool, earnings from the manipulation, and repays the mortgage, all earlier than the transaction settles. If any step fails, the entire sequence rolls again, so the attacker dangers nothing however fuel charges.
The XRP Ledger doesn’t let this work. A draft modification filed on the XRPL requirements repository earlier this week, proposing concentrated liquidity and StableSwap-style swimming pools for the chain’s native automated market maker, included a single line in its Safety Concerns part: “Flash mortgage assaults are structurally not possible. XRPL transactions are atomic with out composable intra-transaction calls.”
What meaning is that XRPL transactions both totally succeed or totally fail, like an Ethereum transaction. However in contrast to Ethereum, an XRPL transaction can not name into one other contract throughout its execution. The borrow-manipulate-repay sequence that defines a flash mortgage assault wants at the very least three nested operations inside a single transaction envelope.
That may be a significant architectural selection, and it has a price. Flash loans should not solely an assault instrument. They’ve change into a structural part of Ethereum DeFi, with Aave, dYdX, and different main protocols providing them as a product. Arbitrage merchants use flash loans to clear value variations between exchanges in a single atomic motion.
Liquidation bots use them to maintain over-collateralized lending positions solvent. Refined DeFi customers use them for collateral swaps that may in any other case require capital that will get tied up for hours. XRPL offers up all of that in change for closing the assault class solely.
For many of XRPL’s historical past, the tradeoff didn’t matter as a result of the chain’s DeFi footprint was small. That’s altering. Tokenized real-world property on the XRP Ledger have crossed $3 billion in complete worth, together with the Ripple-JPMorgan-Mastercard-Ondo Finance pilot final month that processed a tokenized U.S. Treasury redemption in underneath 5 seconds.
The draft AMM modification, if it passes, would shut the capital-efficiency hole that has held XRPL DeFi behind Ethereum, opening the chain to a wider set of buying and selling and yield methods.
If the AMM modification passes and XRPL’s DeFi liquidity grows towards one thing institutional capital can deploy at scale, the query turns into whether or not structural exploit resistance is an actual aggressive benefit or only a function that establishments ignore in favor of the place the liquidity already is.