A security vulnerability in a proposed XRP Ledger (XRPL) update was identified, which could have allowed unauthorized transactions. Fortunately, the flaw was detected by researchers before it could impact the main blockchain network.
The XRPL Foundation disclosed on Feb. 26 that the vulnerability was present in the proposed “Batch” amendment, designed to enable users to combine multiple actions into a single atomic transaction. Security researcher Pranamya Keshkamat and Cantina AI’s autonomous static-analysis tool, Apex, reported the issue on Feb. 19.
If the bug had been activated, attackers could have executed inner transactions as if they were authorized by another account, without needing access to the user’s private keys. This could have resulted in unauthorized fund transfers and changes to ledger settings under a victim’s account without their consent.
The disclosure highlighted the potential risks associated with the flaw, especially as XRPL is expanding into areas like tokenization and compliance-sensitive activities where security and reliability are crucial for institutional adoption.
The flaw in the Batch amendment was traced back to a loop error in the validation of batch signers. When encountering a signer whose account did not exist on the ledger yet, the code would prematurely validate the transaction, potentially allowing for unauthorized actions.
To address the issue, XRPL quickly took action by advising trusted validators to vote against the Batch amendment and releasing an emergency update to prevent its activation. A corrected replacement, BatchV1_1, is currently under review to ensure that the authorization risk is eliminated.
The incident serves as a reminder of the importance of robust security measures in blockchain networks, especially as they evolve to support more complex functionalities and attract institutional users. XRPL’s response to the vulnerability demonstrates its commitment to maintaining a secure and reliable platform for its users.
