An autonomous AI security tool caught a bug in the XRP Ledger that, if left undetected, could have let an attacker steal funds from any account on the network without ever touching the victim’s private keys.
The vulnerability, disclosed Thursday by XRPL Labs, sat in the signature-validation logic of the Batch amendment, a pending upgrade that would allow multiple transactions to be bundled and executed together.
The amendment was still in its voting phase among validators and had not been activated on mainnet, meaning no funds were ever at risk. But the exploit path was about as bad as it gets for a blockchain.
Here’s what the bug did in plain terms. Batch transactions let users bundle several operations into one. Because the individual transactions inside the batch don’t carry their own signatures, the system relies on a list of batch signers to confirm that every account involved has authorized the bundle.
The validation function that checked those signers had a critical loop error. If it encountered a signer whose account didn’t yet exist on the ledger, and whose signing key matched their own account — the normal case for a brand-new account — it immediately declared the entire check successful and stopped looking at the rest of the list.
An attacker could exploit this by constructing a batch with three transactions. The first creates a new account the attacker controls. The second is a simple transaction from that new account, making it a required signer. The third is a payment from the victim’s account to the attacker.
Because the new account doesn’t exist yet when validation runs, the signer check exits early after the first entry and never verifies the second. The victim’s funds move without their keys ever being involved.
Pranamya Keshkamat and Cantina AI’s autonomous security tool Apex identified the flaw through static analysis of the codebase on Feb. 19 and submitted a responsible disclosure. Ripple’s engineering team validated the report the same evening with an independent proof-of-concept.
The response was fast. Validators on the network’s Unique Node List were immediately advised to vote “No” on the amendment.
An emergency release, rippled 3.1.1, was published on Feb. 23, marking both the Batch and the related fixBatchInnerSigs amendments as unsupported to prevent them from ever activating. A corrected replacement called BatchV1_1 has been built and is under review, with no release date set.
The fact that an AI tool found this is notable on its own.
XRPL Labs said it would add AI-assisted code audit pipelines as a standard step in its review process going forward, alongside expanded static analysis specifically designed to catch the kind of premature loop exits that caused this bug.
