The headline event this week was the release of rippled 3.1.1, a hotfix that disables the Batch (XLS-56) and fixBatchInnerSigs amendments following the disclosure of a critical signature-validation bug. On the developer portal (xrpl-dev-portal), a high-volume documentation week saw the tutorials landing page overhauled, a component library refactored across 121 files, and Batch/fixBatchInnerSigs marked as obsolete on the Known Amendments page. In XRPL-Standards, the Lending Protocol spec (XLS-66) was merged to the repository, and the server_definitions enhancement spec was formally assigned XLS-97.
The biggest news this week is the release of rippled version 3.1.1 (rippled is the main software that runs XRP Ledger nodes). This was an emergency hotfix in response to a security bug discovered on February 19 in a feature called "Batch" — a planned upgrade that would have let users bundle multiple transactions together into one. Researchers found that Batch's security checks had a flaw: an attacker could have tricked the network into executing transactions on behalf of other people's accounts without needing their private keys. Because Batch had not yet been activated on the main network, no actual funds were at risk. Rippled 3.1.1 switches both Batch and its related fix off entirely, preventing them from ever activating until the problem is properly fixed. A corrected version is being developed but has no release date yet. If you run an XRP Ledger node or validator, you should upgrade to 3.1.1 now. The test environment called Devnet was also reset on March 3 to avoid it getting stuck — developers with test accounts there will need to re-create them.
It was also a busy week for the XRP Ledger developer website (xrpl-dev-portal). The tutorials section got a major redesign: the landing page now automatically organizes tutorials by category and shows which programming languages each tutorial supports. A new tab-syncing feature means that if you choose "Python" in one code sample, all other code samples on the page — and on future pages you visit — will automatically switch to Python too. On the standards side, the formal specification document for the Lending Protocol (XLS-66) was added to the XRPL Standards repository, and a new spec number (XLS-97) was assigned for improvements to how nodes report their supported features. The Python SDK (xrpl-py) also dropped support for Python 3.8, which reached end-of-life last year — developers using xrpl-py should be on Python 3.9 or newer.
For more details, check the release notes at xrpl.org/blog/2026/rippled-3.1.1 and the full vulnerability disclosure at xrpl.org/blog/2026/vulnerabilitydisclosurereport-bug-feb2026. Follow @XRPLF and @RippleXDev on X for ongoing updates.
rippled 3.1.1 released — The week's most significant event: version 3.1.1 of the reference server is now available. This hotfix marks both the Batch (XLS-56) and fixBatchInnerSigs amendments as Supported::no, preventing them from activating on any network. The release followed the February 26 public vulnerability disclosure report, which confirmed that a logic flaw in Batch's signature-validation code could have allowed an attacker to execute inner transactions on behalf of arbitrary victim accounts — including unauthorized fund transfers — without their private keys. The amendment was in its voting phase and had not activated on mainnet; no funds were at risk. A corrected replacement (BatchV1_1) is under development with no release date set. Validators and node operators should upgrade to 3.1.1. The Devnet reset scheduled for March 3 is required to prevent validators running 3.1.1 from becoming amendment-blocked. Release: rippled 3.1.1 | Blog: xrpl.org/blog/2026/rippled-3.1.1 | Disclosure: xrpl.org/blog/2026/vulnerabilitydisclosurereport-bug-feb2026
The hotfix changes were also cherry-picked back into develop via rippled#6417 so they are included in the next major release.
Explicit heap trimming after cache sweeps (rippled#6022, +442 lines) — Merges a MallocTrim helper into libxrpl that calls malloc_trim(0) on Linux/glibc immediately after cache sweeps, returning unused heap pages to the OS. Approved by 2 reviewers. This addresses memory growth observed in long-running nodes on Linux. The author notes internal testing on mainnet and a blog post with results is in preparation. Non-Linux builds are unaffected (the helper compiles to a no-op).
InvariantCheck modularization (rippled#6440, +4,423/−4,220 across 23 files) — Splits the monolithic InvariantCheck.h/.cpp (4,200+ lines, 24 checker classes) into 10 focused header/source pairs under a new invariants/ subdirectory, with a shared InvariantCheckPrivilege.h. Approved by 2 reviewers. Makes invariant checker code significantly easier to navigate and extend.
WASM module reuse disabled (rippled#6364, +442/−1,855 across 21 files) — Removes WASM module-reuse functionality from release builds; the feature is retained only for performance testing. Removes a substantial amount of code.
Database key type cleanup (rippled#6313, +34/−45 across 9 files) — Replaces void const* with uint256 const& in database fetch functions, eliminating a redundant pointer conversion. Approved by 3 reviewers.
VaultDelete gains optional memo field (rippled#6356, +80/−16 across 3 files) — Adds an optional sfMemoData field to VaultDelete transactions to record the reason for deletion. Linked to the Single Asset Vault spec (XLS-65). Approved by 1 reviewer.
Hashing update for an in-development feature (rippled#6444, +50/−67 across 8 files) — Updates the transaction hash formula and adds ticket support for an in-development feature branch.
Number scale helper refactor (rippled#6384, +70/−74 across 8 files) — Replaces a Number::scale member template with a simpler free function numberScale used across vault and lending call sites.
WASM invalid opcode unit tests (rippled#6392, +626 lines) — 626 lines of new unit tests for invalid WASM opcodes. Approved by 1 reviewer.
WASM parameter unit tests (rippled#6413, +54 lines) — Additional unit tests for WASM function parameters.
Nix development environment (rippled#6314, +318 lines) — Adds a Nix flake and devshell for reproducible development environments. The .envrc was removed after reviewer feedback to avoid conflicts with existing direnv setups.
Nix hook made optional (rippled#6431) — Makes the Nix pre-commit hook optional locally while keeping it enforced in GitHub Actions CI, so developers without Nix installed can still run pre-commit hooks.
clang-tidy improvements (rippled#6414, +192/−152) — Enables additional clang-tidy checks that previously had no issues and updates documentation for running them. Approved by 1 reviewer.
CI error grep (rippled#6339) — Adjusts CI test output to make errors easier to spot without scrolling through thousands of log lines.
macOS CI cleanup (rippled#6412) — Updates workspace cleanup action to remove stale .conan2 directories on macOS CI runners.
Vulnerability disclosure published (xrpl-dev-portal#3521) — Adds the February 2026 vulnerability disclosure report to the developer portal.
Batch marked obsolete on Known Amendments page (xrpl-dev-portal#3522) — Updates the Known Amendments page to mark Batch and fixBatchInnerSigs as obsolete. Also replaces Batch usage in lending setup scripts with Tickets, since Batch is disabled on Devnet.
SAV tutorial setup scripts updated (xrpl-dev-portal#3519) — Replaces Batch usage in Single Asset Vault tutorial setup scripts with Tickets; also adds the missing amendment status badge to the Batch concept doc.
Tutorials landing page overhauled (xrpl-dev-portal#3509, +639/−86 across 18 files) — Replaces the flat index.md with a dynamic index.page.tsx that shows tutorials in categories with language icons auto-detected from code tabs. Approved by maintainer.
Tab syncing across pages (xrpl-dev-portal#3516, +211 lines) — Replaces the default Redocly Tabs component with a custom implementation that syncs language tabs across all tabs on a page and saves the user's language preference in local storage.
Component library refactored (xrpl-dev-portal#3510, +1,328/−894 across 121 files) — Major restructuring of the XRPL Design System component library; introduces 3 new components (CalloutMediaBanner, Video, SectionHeader), moves components from patterns/ to sections/, and adds accessibility improvements.
Tutorial redirect additions (xrpl-dev-portal#3512, +332/−89) — Adds redirects from old tutorial URLs to new post-IAv4 restructuring URLs.
3.1.1 blog post added (xrpl-dev-portal#3511) — Publishes the rippled 3.1.1 release announcement to the developer portal.
Bitget Wallet added to Use Cases page (xrpl-dev-portal#3489) — Adds Bitget Wallet to the XRP and Use Cases pages.
Lending spec links and DestinationTag (xrpl-dev-portal#3527) — Updates links to the lending spec and adds DestinationTag documentation.
XLS-66 Lending Protocol spec merged (XRPL-Standards#240, +2,810 lines) — The full draft specification for the Lending Protocol (XLS-66) is now in the standards repository. Merging here is not endorsement of a finished spec; it is a draft milestone.
XLS-97 assigned: server_definitions enhancements (XRPL-Standards#464, +6,983 lines) — A new spec document for enhancements to the server_definitions RPC is now in the standards repository and was assigned XLS-97. Approved by 2 reviewers.
Stale discussion automation fixes (XRPL-Standards#481, #478) — Fixes two bugs in the XLS automation: stale discussions were not closing after 30 days, and the XLS number assignment bot was always returning 96 instead of the correct next number.
xrpl-py drops Python 3.8 support (xrpl-py#917, −614 lines net) — The Python SDK (xrpl-py) now requires Python 3.9 or later. Python 3.8 reached end-of-life in October 2024 and no longer receives security updates. This is a breaking change for users still on Python 3.8.
xrpl4j CI fix (xrpl4j#709) — Updates the Java SDK (xrpl4j) CI to use rippleci/rippled:develop and the correct xrpld entrypoint, fixing integration test failures caused by a recent Docker image change.
xrpl.js missing type fields (xrpl.js#3217, +633/−9 across 13 files) — Adds missing fields to request/response types including pagination fields on NFT offer endpoints and AMM info. Has outstanding comments from reviewers requesting linter and integration test fixes; not yet approved.
xrpl.js MPT-DEX support (xrpl.js#3214, +2,363/−71 across 40 files) — Implements XLS-82 MPT-DEX support in the JavaScript SDK, including transaction/request model updates and integration tests. Active development; reviews paused by CodeRabbit due to influx of changes.
xrpl.js Confidential Transfers for MPTs (xrpl.js#3215, +1,177 lines) — Draft PR adding Confidential MPT transfer support to the JavaScript SDK. Draft status indicates early/exploratory stage.
xrpl4j XLS-82 MPT-DEX support (xrpl4j#704, +4,557/−197 across 45 files) — Implements XLS-82 MPT-DEX support in the Java SDK (xrpl4j). Under active review (9 reviews recorded).
xrpl4j release process documentation (xrpl4j#705, +132 lines) — Documents the manual release process for xrpl4j artifacts. Under active review (7 reviews).
XLS-87 Token Pre-Authorization draft (XRPL-Standards#480, +417 lines) — New XLS draft for Token Pre-Authorization, ported from discussion #258. No reviews yet.
Lending Protocol: Vault share pricing logic (XRPL-Standards#485) — Proposes adding an InterestUnrealized field to the Vault ledger entry for cash-basis share valuation. Has outstanding change requests from a core team reviewer.
Lending Protocol: PermissionedDomain for LoanBroker (XRPL-Standards#484) — Adds access control to the Lending Protocol via Permissioned Domains. Approved by 1 core team reviewer.
XLS-standards: close discussions on merge (XRPL-Standards#482) — Infrastructure PR to auto-close linked discussions when a spec PR is merged. No reviews yet.
XLS-standards: require maintainer approval before assigning XLS numbers (XRPL-Standards#483) — Governance improvement to prevent anyone from triggering XLS number assignment without maintainer sign-off. Under copilot review.
Developer portal feedback widget (xrpl-dev-portal#3526) — Adds a feedback scale widget to portal pages. Has a minor CSS conflict to resolve before merging.
dangell7/batch-v1 branch (9 commits ahead of develop) tracks the corrected replacement for the disabled Batch amendment. No PR is open yet, but this is the path forward for re-enabling batch transaction support on the network. Worth watching for a PR to open.Batch vulnerability disclosure — The full public disclosure (xrpl.org/blog/2026/vulnerabilitydisclosurereport-bug-feb2026) was published February 26, crediting Pranamya Keshkamat and Cantina AI for identifying the flaw on February 19. The report explains the logic error in Batch's signature validation and the sequence of emergency actions taken.
Trust-line eligibility verification discussion (xrpl.js#3219) — A community member proposed a pattern for standardizing trust-line eligibility verification for commerce use cases (e.g., checking RLUSD balances for merchant payments). The discussion covers handling frozen trust lines, negative balances, and signed attestation objects. Community members noted that existing xrpl.js primitives (account_lines) already cover most of the needed surface area.
Online delete and disk I/O issue (rippled#6202) — A community member's issue about excessive disk load from the online_delete rotation cycle was closed this week with a detailed explanation from a core team member of how the two-NuDB-directory rotation system works and its tradeoffs for validators vs. archival nodes. The XRPL Validator Dashboard community resource was also updated to reflect this tuning guidance.
xrpl4j refactor PR (xrpl4j#707) — A first-time contributor opened a PR to alphabetically sort the large if/else if chains in SignatureUtils, improving readability and reducing merge conflicts when new transaction types are added. The PR is awaiting maintainer review.
AMMClawback documentation gap (xrpl-dev-portal#3520) — A contributor flagged that the AMMClawback documentation implies the asset field accepts XRP, but the implementation rejects it with temMALFORMED. A docs fix is needed.
Account deletion docs need update (xrpl-dev-portal#3525) — A core team member opened an issue noting the account deletion requirement docs are out of sync with the current implementation, particularly around NFT issuer restrictions.
| Metric | Count |
| Repos with activity | 7 |
| rippled PRs merged | 16 |
| rippled PRs opened | 0 (tracked above) |
| rippled commits | 10 |
| xrpl-dev-portal PRs merged | 10 |
| xrpl-dev-portal PRs opened | 4 |
| xrpl-dev-portal commits | 63 |
| xrpl.js PRs merged | 1 |
| xrpl.js PRs opened | 3 |
| xrpl.js commits | 1 |
| xrpl-py PRs merged | 3 |
| xrpl-py commits | 3 |
| XRPL-Standards PRs merged | 4 |
| XRPL-Standards PRs opened | 5 |
| XRPL-Standards commits | 4 |
| xrpl4j PRs merged | 1 |
| xrpl4j PRs opened | 3 |
| xrpl4j commits | 1 |
| clio PRs merged | 6 |
| clio commits | 6 |
| Releases | 1 (rippled 3.1.1) |
| New XLS specs assigned | 1 (XLS-97) |