Prepared by:
HALBORN
Last Updated 09/30/2025
Date of Engagement: July 21st, 2025 - August 5th, 2025
100% of all REPORTED Findings have been addressed
All findings
5
Critical
0
High
2
Medium
1
Low
0
Informational
2
XRPL Foundation engaged Halborn to perform a focused security assessment with particular attention on the new XLS-82d feature set. The review ran from 21 July 2025 to 5 August 2025. The scope, of engagement can be obtained from the scope section.
The XRPL (XRP Ledger) is a decentralised network supporting payments, tokenisation and now, via XLS-82d, native AMM pools. XLS-33 introduces MPTokens fungible assets that can be transferred without establishing trust-lines. These upgrades aim to broaden DeFi capabilities while maintaining XRPL’s guarantees of safety, determinism and low-latency settlement.
Halborn assigned one full-time senior security engineer with deep expertise in C++ ledger code, consensus protocols and DeFi primitives. The objective was to:
• Verify that AMM and MPT logic enforce the intended business rules
• Uncover vulnerabilities that could lead to fund loss, state corruption or denial of service
During the engagement Halborn identified three previously unknown denial-of-service vectors, all enabled by the “trust-line-free” nature of MPTokens:
1. Unsolicited MPToken can permanently freeze an AMM pool (blocks last-LP withdrawal, claw-back and deletion).
2. A single MPToken prevents an account from ever being deleted.
3. A single MPToken blocks an issuer from enabling RequireAuth or AllowTrustLineClawback in AccountSet.
Each issue is low cost to exploit (one standard transaction fee) and requires no permissions. Full details and remediation guidance are provided in the Findings section.
Halborn followed its standard hybrid methodology:
• Architectural review of AMM/MPT amendments and transaction flow
• Manual source-code inspection of C++ ledger logic (owner-directory handling, flag gating, AMM helpers)
• Differential analysis against pre-amendment behaviour
• Custom fuzz utilities for unsolicited MPToken injection
• Reproduction in a private XRPL test-net built from the audited commit
Static tools (clang-tidy, cppcheck) and the project’s own unit-test suite complemented the manual work, but the vulnerabilities discovered were logic-level and surfaced only through directed testing.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
2
Medium
1
Low
0
Informational
2
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| std::sort Without Strict Weak Ordering in compareAccountCandidate | High | Solved - 07/31/2025 |
| AccountSet Flag-Change DoS via MPToken | High | Not Applicable - 08/05/2025 |
| Unsolicited MPToken Makes Any Account Permanently Undeletable | Medium | Not Applicable - 08/05/2025 |
| MPT Flags With canClawback & canTrade in DEX | Informational | Solved - 07/31/2025 |
| MPTAmount stability check may trigger division by zero | Informational | Solved - 08/05/2025 |
//High
//High
//Medium
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
MPT DEX
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
