Why XRP Ledger Claims Flash Loan Attacks Are Structurally Impossible

XRPL transactions are also atomic — they fully succeed or fully fail. However, the ledger does not allow one transaction to call multiple contracts during its execution. A transaction is a standalone, self-contained operation. This prevents the chaining of actions required for the classic "borrow-manipulate-drain-repay" flash loan attack .

The draft amendment’s authors frame this not as a limitation but as a foundational security feature. The architecture simply doesn't offer the composable building blocks that flash loan exploits rely on.

A $200,000 bug bounty program conducted in late 2025 reinforced this view, finding no vulnerabilities related to flash loans or oracle manipulation on the network .

The Trade-Off: Security at the Cost of Composability

The design choice that kills these attacks also kills genuine utility.

Ethereum's composability is often described as "money legos," where protocols like Uniswap, Aave, and Curve interact freely within a single transaction. This enables sophisticated strategies including legitimate flash loan arbitrage, collateral swaps, and self-liquidations, which improve capital efficiency across the ecosystem .

XRPL sacrifices these use cases. The network relies on a smaller set of native primitives — payment paths, escrow, checks, and trust lines — rather than a Turing-complete virtual machine. This results in a simpler, less expressive smart contract model that constrains the complexity of DeFi applications that can be built directly on the chain .

For some developers and users, this is an unacceptable limitation. For others, especially in a period of record-breaking DeFi losses, the trade-off feels increasingly justified.

Why the Proposal Matters Now: A Year of Cascading Exploits

April 2026 was the worst month for DeFi losses since the $1.4 billion Bybit breach of February 2025 . Two attacks accounted for over $577 million:

• Drift Protocol — $285 million (April 1, 2026): The largest Solana-based DeFi exploit to date. Attackers, linked to North Korea's Lazarus Group, spent months posing as a quantitative trading firm to socially engineer access to protocol signers before draining funds in roughly 12 minutes .

• KelpDAO — $292 million (April 18-19, 2026): An attacker exploited a single-verifier flaw in KelpDAO's LayerZero cross-chain bridge to steal rsETH tokens. The incident triggered $9 billion in outflows from Aave within two days and pushed total value locked across all DeFi down to $82.4 billion, a 25% decline from the start of 2026 .

Together these two incidents represented 95% of April's $606 million in total losses and 75% of all 2026 crypto losses through that date .

The cascade continued into May. On May 15, the cross-chain protocol Thorchain was hit for $10.8 million across Bitcoin, Ethereum, BNB Chain, and Base. The protocol was forced to pause all trading and signing for over 12 hours, and its native RUNE token dropped 12% .

The accumulating damage has sharpened the debate around architectural security. The XRPL amendment argues that in an environment where well-audited protocols routinely lose hundreds of millions, a network that eliminates an entire exploit class by design offers a different — and arguably safer — foundation for decentralized finance .

What's Next for the Amendment

The proposal is currently a draft on the XRPL standards repository, awaiting community consensus and the technical approval required to become an active amendment. There is no guarantee it will be adopted, but the conversation it has sparked is about more than one network's AMM design.

It reframes a question that the recent string of exploits has made urgent: Is DeFi composability indispensable, or has it become an unacceptable systemic risk? The XRPL's answer is clear in its code.