An autonomous AI security tool detected a bug in the XRP Ledger that, if left undetected, could have allowed an attacker to steal funds from any account on the network without ever touching the victim’s private keys.
The vulnerability, revealed Thursday by XRPL Labs, resided in the signature validation logic of the Batch Amendment, a pending upgrade that would allow multiple transactions to be batched and executed together.
The amendment was still in the voting phase among validators and had not been activated on mainnet, meaning no funds were ever at risk. But the mining path was about as bad as it gets for a blockchain.
Here’s what the bug did in simple terms. Batch transactions allow users to group multiple operations into one. Because individual transactions within the batch do not carry their own signature, the system relies on a list of batch signers to confirm that each account involved authorized the batch.
The validation function that checked these signers had a critical loop error. If he encountered a signer whose account did not yet exist in the ledger and whose signing key matched his own account – the normal case for a brand new account – he would immediately declare the entire check successful and stop looking at the rest of the list.
An attacker could exploit this by creating a batch of three transactions. The first creates a new account controlled by the attacker. The second is a simple transaction from this new account, making it a mandatory signatory. The third is a payment from the victim’s account to the attacker.
Since the new account does not yet exist at the time of validation, signer verification ends early after the first entry and never verifies the second. The victim’s funds move without their keys being involved.
Pranamya Keshkamat and Apex, Cantina AI’s standalone security tool, identified the flaw through static analysis of the code base on February 19 and submitted a responsible disclosure. Ripple’s engineering team validated the report that same evening with an independent proof of concept.
The response was quick. Validators on the network’s list of unique nodes were immediately advised to vote “no” on the amendment.
An emergency version, called 3.1.1, was released on February 23, marking both Batch changes and related fixBatchInnerSigs changes as unsupported to prevent them from activating. A patched replacement called BatchV1_1 has been created and is under review, with no release date set.
The fact that an AI tool discovered this is remarkable in itself.
XRPL Labs said it will add AI-assisted code audit pipelines as a standard step in its review process in the future, alongside extensive static analysis specifically designed to detect the type of premature loop exits that caused this bug.
