An autonomous AI security tool caught a flaw in the XRP Ledger that, if undetected, could have allowed an attacker to steal funds from any account on the network without ever touching the victim’s private keys.
The vulnerability, disclosed Thursday by XRPL Labs, was in the signature validation logic of the Batch extension, a pending upgrade that would allow multiple transactions to be bundled and executed together.
The change was still in its voting phase among validators and had not been activated on the mainnet, meaning no funds were ever at risk. But the exploitation path was about as bad as it gets for a blockchain.
Here’s what the bug did in layman’s terms. Batch transactions allow users to combine multiple operations into one. Because the individual transactions inside the batch do not carry their own signatures, the system relies on a list of batch signers to verify that each account involved has approved the batch.
The validation function that checked these signers had a critical loop error. If it encountered a signer whose account did not yet exist on the ledger and whose signing key matched their own account—the normal case for a brand new account—it immediately declared the entire check successful and stopped looking at the rest of the list.
An attacker could exploit this by constructing a batch of three transactions. The first creates a new account that the attacker controls. The second is a simple transaction from the new account, making it a required signer. The third is a payment from the victim’s account to the attacker.
Because the new account does not yet exist when the validation runs, the signer check exits early after the first entry and never verifies the second. The victim’s money moves without their keys ever being involved.
Pranamya Keshkamat and Cantina AI’s autonomous security tool Apex identified the flaw through static analysis of the codebase on February 19 and submitted a responsible disclosure. Ripple’s engineering team validated the report that evening with an independent proof-of-concept.
The answer was quick. Validators on the network’s Unique Node List were immediately advised to vote “No” to the change.
An emergency release, waved 3.1.1, was published on February 23, marking both Batch and the related fixBatchInnerSigs plugins as unsupported to prevent them from ever being activated. A fixed replacement called BatchV1_1 has been built and is under review, with no release date given.
The fact that an AI tool found this is remarkable in itself.
XRPL Labs said it would add AI-assisted code review pipelines as a standard step in its review process going forward, along with extended static analysis specifically designed to catch the kind of premature loop exits that caused this bug.
