In the past two months, multiple protocols such as Thorchain, Drift, and KelpDAO have been successively involved in attacks relying on flash loan mechanisms. According to a single source, these incidents are believed to have caused cumulative losses amounting to hundreds of millions of dollars. The core of flash loans is that attackers can borrow large assets without collateral in a single transaction, connecting multiple protocols to complete complex operations, as long as they return the principal before the transaction ends. This compresses what initially required a long time to prepare into just a few blocks on the chain. On April 18, 2026, the Kelp rsETH cross-chain bridge based on LayerZero V2 was attacked on the Unichain to Ethereum link. The attacker implemented RPC poisoning on a single validator, forging cross-chain messages, which led to an abnormal release of 116,500 rsETH on the Ethereum side without the Unichain side destroying the corresponding rsETH. By May 31, Aave, in its post-incident investigation, explicitly pointed the risk to a third-party cross-chain bridge infrastructure rather than the protocol itself. A single source claimed that the relevant rsETH has been fully recovered, but the systemic risks of "flash loans + cross-chain bridges" have not dissipated. On highly composable public chains like Ethereum, everything from smart contracts to cross-chain bridges can be stitched together into an attack script within a single transaction, while XRP Ledger is considered naturally unsupportive of traditional flash loans due to strong atomicity of transactions and lack of composable calls within a transaction. Recently, the community proposed a new technical solution attempting to thoroughly close off such attack paths at the protocol level, raising the issue of whether to accommodate flash loans at the foundational level to the forefront.
Flash Loans Become Standard in DeFi Attacks
On public chains supporting complex smart contracts, flash loans have become the "infrastructure" in the hands of attackers. Its rules are simple: borrow large assets without collateral in a single transaction, and as long as the full amount is returned before the transaction ends, it counts as fulfillment of the contract. The dozens or even hundreds of internal calls in between are merely internal details of the same atomic transaction from the underlying perspective. Because it does not require long-term capital occupancy and does not expose positions, attackers can string together borrowing, market making, oracle price feeding, liquidation, cross-chain, and other complex operations in a single transaction, amplifying every small design flaw in each link with temporarily enlarged leverage.
From April to May 2026, various reported security incidents affecting Thorchain, Drift, and KelpDAO almost universally featured flash loans along the attack paths. According to a single source, these incidents are considered to have caused cumulative losses amounting to hundreds of millions of dollars, but public information has not provided detailed transaction breakdowns. The commonality is that the attack transactions were often completed in highly composable environments like Ethereum, with calling paths spanning multiple protocols. Flash loans serve as just the first domino, and the real lethal element is the structure of "multi-protocol composability + atomic settlement," allowing attack scripts to run completely on-chain in one go—either everything succeeds or everything rolls back—significantly compressing failure costs and amplifying the systemic impact of every potential vulnerability.
Kelp rsETH Bridge Attacked: Validator Becomes Weak Point
The April 18 Kelp rsETH LayerZero V2 cross-chain bridge incident was quickly determined to not be a "traditional contract vulnerability," but a chain reaction triggered by taking down the verification layer. The attacker focused on the single validator behind the Unichain to Ethereum link: by implementing RPC poisoning on that validator, they were able to feed tampered block and state views, allowing the validator to operate under a "faulty worldview." When this contaminated validating node stamped a cross-chain message, the Ethereum side contract was convinced—believing that the Unichain side had processed rsETH according to the rules—therefore directly releasing 116,500 rsETH on the Ethereum side, while the source chain had not actually destroyed the corresponding assets. The cross-chain message itself appeared structurally complete and had valid signatures, but the trust subject behind the signatures had quietly been converted to the machine controlled by the attacker.
On May 31, Aave emphasized in its post-incident investigation that the 116,500 rsETH had been fully recovered and pointed the risk towards "third-party bridge infrastructure," rather than Aave itself or the LayerZero core protocol. This statement, on one hand, technically delineates boundaries: the core logic of the lending protocol operates as expected, and the general security model of the underlying message channel has not been directly breached; the real single point is the layer of integration that selects a single validator for bridging implementation and relies on its RPC view. On the other hand, it places this incident within a broader narrative of DeFi security—despite being superficially an incident of "cross-chain messages being forged," its essence remains the consequence of overly concentrating trust in a single node in the infrastructure design.
XRP Ledger Naturally Avoids Flash Loans
If cross-chain bridges concentrate risks on a single validator view, then the XRP Ledger (XRPL) outright blocks certain types of risks at the protocol's gate in another dimension. According to reports from Golden Finance and others, XRPL's foundational design emphasizes transaction atomicity: one transaction is one thing—either it all succeeds, or it all rolls back. A single transaction cannot nest a series of multi-step processes like "first call this contract, then call that protocol," nor is there an execution environment similar to Ethereum that allows arbitrary combinations of multiple calls within a transaction. The result is that developers find it challenging to construct a complex on-chain scenario of "borrowing money—doing the thing—repaying" in XRPL.
This precisely cuts off the critical premise of traditional flash loans. Public chains like Ethereum have become hotbeds for flash loan attacks precisely because they can borrow large assets without collateral in the same transaction and sequentially link multiple protocols to complete transactions, liquidations, price manipulations, and other multi-step operations, as long as the assets are returned before the transaction ends. However, on XRPL, lacking such the ability to link multiple protocols within a single transaction, it currently does not support a flash loan mechanism, thereby almost no large-scale attack cases relying on flash loans are found in publicly available reports. From the perspective of "whether many things can be done in one transaction," XRPL has directly delineated its risk boundary through its architecture and explains why it faces a different attack surface compared to highly composable chains in the same wave of DeFi security storms.
New Proposal Emerges: XRP Ledger Tightens Attack Surface
Understanding that it has avoided this round of flash loan storms by knowing "what cannot be done," the XRP Ledger community proposed a new techn
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
