The 2 largest DeFi exploits of the previous two months have one factor in widespread. They used a software that doesn’t exist on the XRP Ledger.
Thorchain misplaced roughly $10.8 million on Could 15 to a cross-chain assault that drained funds throughout Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual change, and KelpDAO, a liquid restaking protocol on Ethereum, collectively accounted for greater than $600 million in losses by means of April alone.
Cross-chain bridges have misplaced over $2.8 billion to assaults since 2021, per Chainalysis. And a big share of those exploits used some variant of the identical mechanic: flash loans.
A flash mortgage is a great contract characteristic that lets a dealer borrow hundreds of thousands of {dollars} with no collateral, on the situation that the mortgage is repaid inside the identical transaction. The official use circumstances embrace arbitrage between exchanges, collateral swaps with out unwinding positions, and liquidation bots that keep solvency in lending markets.
The assault sample is similar mechanic pointed within the flawed route.
A borrower takes out the mortgage, makes use of the funds to govern an oracle or drain a poorly designed pool, earnings from the manipulation, and repays the mortgage, all earlier than the transaction settles. If any step fails, the entire sequence rolls again, so the attacker dangers nothing however gasoline charges.
The XRP Ledger doesn’t let this work. A draft modification filed on the XRPL requirements repository earlier this week, proposing concentrated liquidity and StableSwap-style swimming pools for the chain’s native automated market maker, included a single line in its Safety Concerns part: “Flash mortgage assaults are structurally not possible. XRPL transactions are atomic with out composable intra-transaction calls.”
What which means is that XRPL transactions both absolutely succeed or absolutely fail, like an Ethereum transaction. However not like Ethereum, an XRPL transaction can’t name into one other contract throughout its execution. The borrow-manipulate-repay sequence that defines a flash mortgage assault wants not less than three nested operations inside a single transaction envelope.
That could be a significant architectural alternative, and it has a value. Flash loans should not solely an assault software. They’ve turn into a structural part of Ethereum DeFi, with Aave, dYdX, and different main protocols providing them as a product. Arbitrage merchants use flash loans to clear value variations between exchanges in a single atomic motion.
Liquidation bots use them to maintain over-collateralized lending positions solvent. Subtle DeFi customers use them for collateral swaps that may in any other case require capital that will get tied up for hours. XRPL offers up all of that in change for closing the assault class fully.
For many of XRPL’s historical past, the tradeoff didn’t matter as a result of the chain’s DeFi footprint was small. That’s altering. Tokenized real-world property on the XRP Ledger have crossed $3 billion in whole worth, together with the Ripple-JPMorgan-Mastercard-Ondo Finance pilot final month that processed a tokenized U.S. Treasury redemption in underneath 5 seconds.
The draft AMM modification, if it passes, would shut the capital-efficiency hole that has held XRPL DeFi behind Ethereum, opening the chain to a wider set of buying and selling and yield methods.
If the AMM modification passes and XRPL’s DeFi liquidity grows towards one thing institutional capital can deploy at scale, the query turns into whether or not structural exploit resistance is an actual aggressive benefit or only a characteristic that establishments ignore in favor of the place the liquidity already is.
