NFTs On XRP Ledger (XRPL) Delayed As New Bug Comes To Light

Key stakeholders suspend votes on the XLS-20 proposal as a new bug is revealed.

The launch of NFTs on the XRPL has hit a snag, as xTokenize announced in a tweet earlier today that they found a bug that could max out a minters XRP reserve.

Over the past few days, we have conceptualized and tested an exploit on #XLS20d #NFTs that were minted using the Trustline flag with a TransferFee > 0.

?https://t.co/w2POv8unPX

— xTokenize (@xTokenize) September 12, 2022

“NFTs Utilizing Flag 12/13 on NFTokenMint Tx’s with a Transfer Fee >0 are susceptible to spam trust lines and an increase in their reserve requirement while also allowing a currency issuer to create infinite currencies for no cost or reserve requirement,” xTokenize wrote in the Github documentation.

At first, developers believed that such an attack would be too expensive to pull off. However, after rigorous testing, evidence shows that the attack will cost nothing but transaction fees.

In response, Alloy Networks, an XRPL validator, has said it will veto the XLS-20 amendment proposal until the bug is fixed. Additionally, XRPL lead developer WietseWind said he would remove the XRPL Labs support until the issue is addressed.

After reviewing the report by (@xTokenize – THANK YOU!) I feel the NFT amendment needs a (small) change.

I will remove support for the XLS20 amendment on our @XRPLLabs validator, and add support again if this issue has been addressed.

Slow and steady wins the race.

— WietseWind – ? XUMM @ XRPL Labs (@WietseWind) September 11, 2022

The development is a blow to XRP users, who expected the XLS-20 proposal to be implemented soon as validator voting had kicked off. However, analysis from Combat Kanga shows that the delay will take a month in the best case and two and half months in the worst case. According to Combat Kanga, while the bug fix is simple, it will take a lot of time for validators to complete tests before resuming voting.

Code update. Best 1 day, worst 7

Release updated code. Best 1 day, worst 7

Update validators. Best 1-2 weeks, worst 1-2 months

Best and worst estimate for xls 20 going live..

Best: 1 month
Worst: 2.5 months..

— Combat Kanga (@CombatKanga) September 12, 2022

It bears mentioning that Ripple engineer Nik Bougalis first published XLS-20 in 2021 to activate native NFT functionality. In January this year, the network launched a development network for NFT research. Notably, in July, as reported by The Crypto Basic, Ripple developers expressed confidence in supporting the proposal after test completion. Then in August, XRPL Labs voted in favor of the proposal.

Despite the news of the latest delay, XRP faithful will be pleased to know that NFT projects remain committed to launching on the network. XWhales, a project which plans to launch 11,110 unique whale NFTs on the blockchain, in response to the news, said it remains ready to launch once the proposal is implemented.

It is very saddening news that XLS-20D got pushed back more due to finding an exploit…but the network needs to be critically secure before XLS-20D gets amended in, but we just want everyone to know Xwhales is ready whenever XLS-20D is live!! #XRPCommunity @XRP_community #XRPL pic.twitter.com/PTl0NU8lUY

— XWhales Official (@Xwhales21) September 12, 2022