An autonomous AI security tool detected a bug in the XRP Ledger that, if left undetected, could have allowed an attacker to steal funds from any account on the network without even touching the victim’s private keys.
The vulnerability, disclosed Thursday by XRPL Labs, was in the signature validation logic of the Batch amendment, a pending update that would allow multiple transactions to be grouped and executed together.
The amendment was still in its voting phase among validators and had not been activated on the mainnet, meaning no funds were at risk. But the path of exploitation was as bad as that of a blockchain.
This is what the error did in layman’s terms. Batch transactions allow users to group multiple operations into one. Because individual transactions within the batch do not carry their own signatures, the system relies on a list of signers in the batch to confirm that all accounts involved have authorized the package.
The validation function that verified those signers had a critical loop error. If it found a signer whose account did not yet exist in the ledger and whose signing key matched its own account (the normal case for a new account), it immediately declared the entire verification successful and stopped looking at the rest of the list.
An attacker could take advantage of this by constructing a batch with three transactions. The first creates a new account that the attacker controls. The second is a simple transaction from that new account, making it a required signatory. The third is a payment from the victim’s account to the attacker.
Because the new account does not yet exist when validation is run, signer verification exits early after the first entry and never verifies the second. The victim’s funds are moved without their keys being involved.
Pranamya Keshkamat and Cantina AI’s autonomous security tool Apex identified the flaw through a static analysis of the codebase on February 19 and submitted a responsible disclosure. Ripple’s engineering team validated the report that same night with an independent proof of concept.
The response was quick. Validators of the network’s Single Node List were immediately recommended to vote “No” on the amendment.
An emergency release, rippled 3.1.1, was released on February 23, marking both the bundle and related fixBatchInnerSigs amendments as unsupported to prevent them from being activated. A fixed replacement called BatchV1_1 has been created and is under review, with no release date set.
The fact that an AI tool discovered this is notable in itself.
XRPL Labs said it would add AI-assisted code audit pipelines as a standard step in its review process in the future, along with expanded static analysis specifically designed to detect the type of premature loop exits that caused this error.
