XRP Ledger (XRPL) averts critical security flaw with AI
The post XRP Ledger (XRPL) averts critical security flaw with AI appeared on BitcoinEthereumNews.com.
A security flaw in a proposed XRP Ledger (XRPL) upgrade could have enabled unauthorized transactions, but researchers flagged the issue before it could reach the blockchain’s main network. The XRPL Foundation said Feb. 26 that the vulnerability was found in the proposed “Batch” amendment, a feature intended to let users bundle multiple actions into a single atomic transaction. Security researcher Pranamya Keshkamat and Cantina AI’s autonomous static-analysis tool, Apex, reported the issue Feb. 19, according to the foundation. If the amendment had been activated with the bug in place, an attacker could have executed inner transactions as if they were authorized by another account, without access to that user’s private keys. That could have enabled unauthorized fund transfers and changes to ledger settings under a victim’s account, even though the victim did not sign the transaction. The disclosure comes as XRPL has been positioning itself for use cases such as tokenization and other compliance-sensitive activities, where perceived security and reliability are central to institutional adoption. Understanding XRPL’s critical Batch amendment security flaw The proposed Batch amendment changed how authorization would work on the XRP Ledger by allowing multiple “inner” transactions to be bundled into a single “outer” Batch transaction, so that all steps either succeed or fail together. That atomic structure can reduce execution risk for developers running multi-step operations. It also creates a new authorization boundary. In the Batch design, inner transactions are intentionally unsigned. Instead, authority is delegated to a list of batch signers attached to the outer transaction, making the signer-validation code a critical control point. If those checks fail, the ledger can treat unauthorized actions as valid. The disclosure said the bug stemmed from a loop error in the function that validates batch signers. When the code encountered a signer whose account did not yet exist…
Filed under: News - @ February 28, 2026 9:25 am