The 2 greatest DeFi exploits of the previous two months have one factor in widespread. They used a software that doesn’t exist on the XRP Ledger.
Thorchain misplaced roughly $10.8 million on Might 15 to a cross-chain assault that drained funds throughout Bitcoin, Ethereum, BSC, and Base. Drift Protocol, a Solana-based decentralized perpetual trade, and KelpDAO, a liquid restaking protocol on Ethereum, collectively accounted for greater than $600 million in losses by way of April alone.
Cross-chain bridges have misplaced over $2.8 billion to assaults since 2021, per Chainalysis. And a big share of those exploits used some variant of the identical mechanic: flash loans.
A flash mortgage is a great contract characteristic that lets a dealer borrow hundreds of thousands of {dollars} with no collateral, on the situation that the mortgage is repaid inside the identical transaction. The legit use circumstances embrace arbitrage between exchanges, collateral swaps with out unwinding positions, and liquidation bots that keep solvency in lending markets.
The assault sample is identical mechanic pointed within the fallacious path.
A borrower takes out the mortgage, makes use of the funds to control an oracle or drain a poorly designed pool, income from the manipulation, and repays the mortgage, all earlier than the transaction settles. If any step fails, the entire sequence rolls again, so the attacker dangers nothing however gasoline charges.
The XRP Ledger doesn’t let this work. A draft modification filed on the XRPL requirements repository earlier this week, proposing concentrated liquidity and StableSwap-style swimming pools for the chain’s native automated market maker, included a single line in its Safety Concerns part: “Flash mortgage assaults are structurally unimaginable. XRPL transactions are atomic with out composable intra-transaction calls.”
What which means is that XRPL transactions both totally succeed or totally fail, like an Ethereum transaction. However not like Ethereum, an XRPL transaction can’t name into one other contract throughout its execution. The borrow-manipulate-repay sequence that defines a flash mortgage assault wants not less than three nested operations inside a single transaction envelope.
That may be a significant architectural selection, and it has a value. Flash loans are usually not solely an assault software. They’ve grow to be a structural element of Ethereum DeFi, with Aave, dYdX, and different main protocols providing them as a product. Arbitrage merchants use flash loans to clear worth variations between exchanges in a single atomic motion.
Liquidation bots use them to maintain over-collateralized lending positions solvent. Subtle DeFi customers use them for collateral swaps that may in any other case require capital that will get tied up for hours. XRPL provides up all of that in trade for closing the assault class solely.
For many of XRPL’s historical past, the tradeoff didn’t matter as a result of the chain’s DeFi footprint was small. That’s altering. Tokenized real-world belongings on the XRP Ledger have crossed $3 billion in whole worth, together with the Ripple-JPMorgan-Mastercard-Ondo Finance pilot final month that processed a tokenized U.S. Treasury redemption in underneath 5 seconds.
The draft AMM modification, if it passes, would shut the capital-efficiency hole that has held XRPL DeFi behind Ethereum, opening the chain to a wider set of buying and selling and yield methods.
If the AMM modification passes and XRPL’s DeFi liquidity grows towards one thing institutional capital can deploy at scale, the query turns into whether or not structural exploit resistance is an actual aggressive benefit or only a characteristic that establishments ignore in favor of the place the liquidity already is.
