TLDR
- A new draft amendment on the XRP Ledger confirms flash loan attacks are “structurally impossible” due to its atomic transaction design
- Flash loans were used in attacks on Thorchain, Drift Protocol, and KelpDAO, costing hundreds of millions in losses
- XRPL transactions cannot chain multiple operations in one block, unlike Ethereum’s composable smart contracts
- Tokenized real-world assets on XRPL have crossed $3 billion, including a Ripple-JPMorgan-Mastercard-Ondo Finance pilot
- A $200,000 bug bounty program run in late 2025 found no exploits related to flash loans or oracle manipulation
Flash loan attacks have drained hundreds of millions from DeFi protocols in recent months. The XRP Ledger says its design makes those attacks impossible from the start.
📈 NEW: XRP Ledger Eliminates Flash Loan Vulnerabilities
A newly proposed draft amendment to the XRP Ledger automated market maker standards highlights a major architectural defense against decentralized finance exploits.
The design entirely prevents flash loan attacks by… pic.twitter.com/rQ1tdNgqtK
— Zubiqo (@zubiqo) May 31, 2026
A draft amendment called AMM Swappable Curves, filed on May 26, 2026, by developers Denis Angell and Roman Thpt, includes a line in its Security Considerations section: “Flash loan attacks are structurally impossible. XRPL transactions are atomic without composable intra-transaction calls.”
What Is a Flash Loan Attack?
A flash loan lets a trader borrow large sums with no collateral, as long as the loan is repaid within the same transaction. When used as an attack, the borrower manipulates a price oracle or drains a liquidity pool and repays the loan before the transaction closes. If any step fails, the whole thing rolls back. The attacker risks nothing but gas fees.
This attack pattern requires chaining multiple operations inside one transaction. That is not possible on the XRP Ledger.
On Ethereum, the Virtual Machine allows composable smart contracts to link together several actions in one block. XRPL does not. Each transaction on XRPL is a single, self-contained operation. There are no intra-transaction calls.
Recent DeFi Losses Highlight the Risk
The cost of flash loan attacks has been steep. Thorchain lost roughly $10.8 million on May 15 to a cross-chain attack. Drift Protocol and KelpDAO together accounted for more than $600 million in losses through April. Cross-chain bridges have lost over $2.8 billion to attacks since 2021, according to Chainalysis.
These exploits have renewed attention on how different blockchains are built and what protections they offer by default.
XRPL’s Broader DeFi Build-Out
The AMM Swappable Curves amendment is part of a wider DeFi expansion on XRPL. The network is also developing the XLS-66 Lending Protocol and Single Asset Vaults under XLS-65.
XLS-66 will enable fixed-term and uncollateralized loans, with credit assessments handled off-chain and liquidity pools operating on-chain. Single Asset Vaults let users provide pooled liquidity without dual-token deposits.
A bug bounty program worth $200,000 ran from October to November 2025, targeting oracle manipulation and flash loan vulnerabilities. No exploits were found.
On May 27, 2026, the fixCleanup3_1_3 amendment was activated, fixing accounting bugs in the lending protocol and other DeFi functions, including issues tied to NFT offers.
Institutional Interest Is Growing
Tokenized real-world assets on XRPL have crossed $3 billion. A pilot involving Ripple, JPMorgan, Mastercard, and Ondo Finance processed a tokenized U.S. Treasury redemption in under five seconds last month.
XRPL’s design trades composability for security. Flash loans are not just attack tools — they are used by arbitrage traders and liquidation bots on Ethereum. XRPL gives those up entirely to close the exploit class.
Whether that tradeoff attracts institutional capital at scale will depend on how much liquidity moves to the ledger as its DeFi infrastructure matures.
