XRP Ledger nearly shipped a feature that could drain accounts without owners signing

A significant security vulnerability was discovered in the proposed "Batch" amendment for the XRP Ledger (XRPL), which aimed to allow users to bundle multiple actions into a single atomic transaction. Security researchers flagged the issue on February 19th, preventing it from reaching the main network. If activated, the bug, stemming from a loop error in batch signer validation, would have allowed an attacker to execute inner transactions as if authorized by another account without needing the victim's private keys, potentially draining accounts or changing ledger settings. The flaw exploited a condition where the validation loop prematurely succeeded if it encountered a signer for an account that had not yet been created on the ledger. This allowed an attacker to bypass validation checks for a forged signer entry. The XRPL Foundation responded swiftly by advising trusted validators (UNL) to vote "No" on the amendment and issuing an emergency release (rippled 3.1.1) to block the amendment path. This incident occurred while XRPL is aggressively pursuing institutional adoption for tokenization and compliance-sensitive activities, making the security failure particularly damaging to its reputation. A corrected replacement, BatchV1_1, is now under review, and the incident highlights the increased importance of rigorous validation checks as XRPL expands its feature set for regulated finance.

(Source：CryptoSlate)