On May 26, 2026, developers Denis Angell and Roman Thpt filed an amendment called AMM Swappable Curves to the XRPL standards repository. The primary goal of the document is to expand the network's native AMM capabilities: adding concentrated liquidity and StableSwap-style pools. But what caught the community's attention was a single line in the Security Considerations section: "Flash loan attacks are structurally impossible. XRPL transactions are atomic without composable intra-transaction calls."

To understand why this matters, you need to understand how flash loan attacks actually work. A flash loan is a smart contract feature that lets a trader borrow millions of dollars with no collateral, provided the loan is repaid within the same transaction. Legitimate uses include arbitrage between exchanges and liquidation bots that maintain solvency in lending markets. But the same mechanic lets an attacker borrow a massive sum, manipulate a price oracle, drain a liquidity pool, and repay the loan - all within one block, with essentially zero risk, because if anything fails, the entire transaction reverts.

On Ethereum, this works because the EVM allows smart contracts to call other contracts during execution. This is called composability - and it is simultaneously Ethereum's greatest strength and its most exploited vulnerability. A flash loan attack requires at least three nested operations inside a single transaction: borrow, manipulate, repay. On XRPL, one transaction cannot call another during execution. This is an architectural constraint, not a security setting. It cannot be configured away, because it is built into the fundamental structure of the network.

The context of this news makes it particularly significant. The two largest DeFi exploits of the past two months both used flash loans as a core attack component. THORChain lost $10.8 million on May 15. Drift Protocol and KelpDAO together lost more than $600 million in April. According to Chainalysis, cross-chain bridges have lost over $2.8 billion to attacks since 2021, with a significant share of those exploits relying on flash loans in some form. XRPL has not lost a single dollar to this class of attack in the same period - simply because the tool does not exist there.

The AMM Swappable Curves amendment is not only about security. It is part of a broader DeFi expansion on XRPL. The network is simultaneously developing the XLS-66 Lending Protocol - enabling fixed-term and uncollateralized loans with off-chain credit assessment and on-chain liquidity pools - and Single Asset Vaults under XLS-65, which allow liquidity provision in a single token without the complexity of dual-token deposits. Tokenized real-world assets on XRPL have already crossed $3 billion, and a pilot involving Ripple, JPMorgan, Mastercard, and Ondo Finance has already processed tokenized U.S. assets. On May 27, a separate fixCleanup3\_1\_3 amendment was activated, addressing accounting bugs in the lending protocol.

One honest caveat that should not be skipped: the architectural defense against flash loans is also a limitation. The composability that XRPL does not support is the foundation of most innovative DeFi protocols on Ethereum. By restricting nested calls, XRPL closed an entire attack class - but also narrowed the design space for developers accustomed to building complex composable systems. Critics say it plainly: if XRPL diverges too far from standard DeFi primitives, the network risks failing to attract the developers and liquidity currently concentrated on Ethereum and Solana.

But in May 2026, as DeFi closes the month with 14 confirmed incidents and $27 million in losses, an architecture that makes an entire class of attacks physically impossible is an argument that is difficult to ignore.