In a significant incident for blockchain security, an autonomous AI tool identified a critical vulnerability in the XRP Ledger. This flaw, if unnoticed, could have enabled an attacker to siphon funds from any account on the network without requiring access to the victim’s private keys.
The vulnerability, disclosed on Thursday by XRPL Labs, was located in the signature-validation logic of the Batch amendment, an upcoming upgrade that would permit multiple transactions to be bundled and executed simultaneously.
During its voting phase among the validators, the amendment had not yet been implemented on the mainnet, meaning that no funds were at risk. However, the potential for exploitation was alarmingly serious for the blockchain ecosystem.
To put it simply, the Batch transactions enable users to combine several operations into one. Since the individual transactions within the bundle lack their own signatures, the system relies on a list of batch signers to ensure that all participating accounts have sanctioned the bundle.
Unfortunately, the validation function designed to assess these signers contained a significant loop error. When it came across a signer representing an account that didn’t yet exist on the ledger—with a signing key that matched its own account (the usual case for newly created accounts)—it mistakenly declared the validation successful and ceased further checks.
This flaw presented an exploitable opportunity for an attacker to create a batch consisting of three transactions. The first transaction would establish a new account under the attacker’s control. The second would carry out a simple transaction from this new account, thereby designating it as a required signer. The third transaction would facilitate a payment from the victim’s account to the attacker.
Because the new account was non-existent at the time of validation, the signer check prematurely exited after the first entry, failing to verify the second. As a result, the victim’s funds were transferred without their private keys ever being involved.
On February 19, Pranamya Keshkamat and Cantina AI’s autonomous security tool, Apex, detected this issue through static analysis of the codebase and issued a responsible disclosure. Ripple’s engineering team confirmed the findings the same evening with an independent proof-of-concept.
The response was swift. Validators on the network’s Unique Node List received immediate advice to vote “No” on the amendment.
On February 23, an emergency release, rippled 3.1.1, was deployed, marking both the Batch amendment and the associated fixBatchInnerSigs amendments as unsupported, thereby preventing them from being activated. A corrected version, termed BatchV1_1, has been developed and is currently under review, though a release date has yet to be announced.
The fact that an AI tool detected this vulnerability is noteworthy in itself.
In light of this incident, XRPL Labs announced plans to incorporate AI-assisted code audit pipelines into their standard review processes. This will be complemented by enhanced static analysis specifically aimed at identifying issues like the premature loop exits that led to this vulnerability.
