In rippled, 22 PRs merged to develop including Vault invariant rounding fixes (backported for 3.1.3), an AMMClawback return code correction, MPT/DEX permission fixes, a massive clang-tidy include cleaner pass touching 732 files, and the LoanPay assertion fix surfaced via the ImmuneFi attackathon. On the developer portal, the tutorials landing page v2 shipped with auto-populated sections. A sweeping security audit produced 40+ new issues in xrpl.js and 30+ in xrpl-py covering client-side validation gaps. In Clio, seven CI dependency bumps merged alongside a nightly development build.
This week was focused on stability and quality across the XRP Ledger ecosystem. The core server software (rippled) received important bug fixes for its newer features — particularly Vaults and Loans, where rounding differences between internal number formats could trigger false alarms that looked like lost funds. These fixes were backported to the upcoming 3.1.3 release branch, meaning they should reach production nodes soon. The AMMClawback feature also got a correction: previously, an unauthorized attempt to claw back tokens from an AMM would incorrectly return "success" instead of "no permission." Several other fixes addressed edge cases in MPT (Multi-Purpose Token) trading permissions and credential expiry handling.
On the tooling side, a comprehensive security review of the JavaScript SDK (xrpl.js) and the Python SDK (xrpl-py) uncovered over 70 potential issues. These range from error messages accidentally including private key material (which could end up in log files), to a comparison function that skips checking the last byte of data, to various missing input validations. Most are low severity and wouldn't cause problems in typical usage, but they represent important hardening work. Fix PRs are already being submitted. For developers using these libraries, no immediate action is needed, but upgrades will be recommended as fixes ship.
The developer portal at xrpl.org got a nice upgrade: the tutorials landing page now automatically detects and lists tutorials from metadata instead of requiring manual curation, and it shows the three most recently updated tutorials in a "What's New" section. This makes it easier for developers to find the latest learning resources.
For ongoing updates, follow @XRPLF and @RippleXDev on X. Check the XRPLF GitHub repos for full activity.
Note: All rippled changes below were merged to the develop branch and are not yet live on the network. A tagged release is required for any change to reach production.
mpt-crypto SDK reducing proof sizes across Confidential MPT transactions (e.g., ConfidentialMPTSend down to 946 bytes, ConfidentialMPTConvertBack to 816 bytes). Approved by @shawnxie999 and @PeterChen13579. rippled#6859 (+146/−394, 12 files)Delegate objects discoverable from both delegator and delegatee owner directories, mirroring the pattern used by other bidirectional ledger objects. This is part of the PermissionDelegationV1_1 amendment (not yet enabled). Approved by @PeterChen13579. rippled#6681 (+296/−36, 8 files)--definitions flag and artifact — Adds a CLI flag to emit protocol definitions as a build artifact, useful for client libraries and tooling. Approved by @mathbunnyru. rippled#6858 (+88/−8, 5 files)Number/STAmount scale differences. Backported to the 3.1.3 staging branch. Approved by @ximinez and @pratikmankawde. rippled#6955 (+496/−74) and rippled#6957 (+669/−173)LoanPay "funds are conserved" assertion fix — IOU rounding when a Vault and a Loan are at significantly different scales created the appearance of lost funds. The assertion is now adjusted to account for independent truncation at storage boundaries. Includes a test case originally submitted through the ImmuneFi attackathon. Merged to both the 3.1.3 staging branch and develop. rippled#6231 (+378/−71) and rippled#6967 (+325/−43)tesSUCCESS to tecNO_PERMISSION on AllowTrustLineClawback and NoFreeze checks. Closes rippled#6922. Approved by @yinyiqian1. rippled#6946 (+20/−14)canTrade → canTransfer in CheckCreate/Cash), changed tecFROZEN to tecLOCKED for locked MPT, fixed double adjustOwnerCount in AMMWithdraw, and added MPT to the ValidAMM invariant. rippled#6855 (+681/−252, 19 files)sfAdditionalBooks in the hybrid offer invariant. rippled#6716 (+153/−8)visitEntry. Labeled Amendment. Approved by @vlntb. rippled#6609 (+209/−47, 10 files)get_aggregate_price — Adds a deduplication check to prevent the same oracle from being counted multiple times in aggregate price calculations. Closes rippled#6583. Approved by @gregtatcam. Submitted by community member @mvanhorn. rippled#6586 (+50/−0)sahyadri.isrdc.in from bootstrapping hubs (4% uptime over 6 months, 0% in last 3). Submitted by community member @elmurci. Approved by @Tokeiito. rippled#6956 (+0/−4)misc-include-cleaner check across the entire codebase, automatically keeping includes tidy. Also updates clang-format to auto-detect and place the main include first. rippled#6947 (+10,449/−1,277, 732 files)braces-around-statements, else-after-return, implicit-bool-conversion, and more. rippled#6930 (+847/−414, 152 files)actions/upload-pages-artifact v4→v5 rippled#6927actions/upload-artifact v7.0.0→v7.0.1 rippled#6928.augment and .agents directories. clio#3038actions/upload-artifact v7.0.1 (clio#3031, clio#3035), docker/build-push-action v7.1.0 (clio#3034), peter-evans/create-pull-request v8.1.1 (clio#3033), actions/upload-pages-artifact v5.0.0 (clio#3032)nightly-20260416 published (development only, not for production).DebtMaximum field correction — Changed from required to optional, aligning docs with the implementation. Approved by @mDuo13. xrpl-dev-portal#3504 (+1/−1)FeatureTwoColumn responsive layout improvements (xrpl-dev-portal#3604 +282/−343), font class refactor (xrpl-dev-portal#3608), grid/text directory dark mode fixes (xrpl-dev-portal#3605 +1,575/−5,078), Gem Wallet URL fix (xrpl-dev-portal#3597)requests 2.33.0 (xrpl-dev-portal#3555), golang.org/x/crypto 0.45.0 (xrpl-dev-portal#3535)rippled: OverrideFreeze invariant gap (rippled#6959) — Fixes an invariant that blocks clawback on individually frozen AMM trust lines. Reviewer @mvadari noted it needs an amendment gate. Under active discussion.
rippled: LoanPay base fee cap (rippled#6970, +3/−0) — Caps the base fee for LoanPay based on loanMaximumPaymentsPerTransaction. Approved by AI reviewer but has failing unit tests that the author plans to fix.
rippled: Post-quantum key/signature size tests (rippled#6971, +332/−0) — Community member @favsidv added 10 test cases verifying rippled's behavior with post-quantum key sizes (ML-DSA, Falcon, SLH-DSA). Confirms oversized keys/signatures are rejected cleanly. No crashes or undefined behavior.
rippled: Remove dead code in doLogLevel (rippled#6968) — Community member @SAY-5 removes redundant partition check. Needs commit signing before merge. Closes #6752.
Clio: libxrpl compatibility update (clio#3030, +4,759/−4,945, 221 files) — Large refactor to make Clio compatible with the newest libxrpl. No reviews yet.
Clio: VaultList for Lending Protocol (clio#2972, +1,100/−0, 7 files) — Implements the VaultList RPC for the Lending Protocol. 17 review rounds, under active development.
xrpl.js: Quarterly batch dependency upgrade Q2 2026 (xrpl.js#3271, +4,418/−3,002) — Consolidates 30 Dependabot PRs into a single upgrade. Three review rounds.
xrpl.js: Smart contracts (DO NOT MERGE) (xrpl.js#3274, +3,640/−275, 57 files) — Early exploratory draft adding Contract* transaction types and binary-codec updates. Not intended for merge yet.
xrpl.js: Default signing algorithm change (xrpl.js#3273, +145/−17) — Breaking change switching the default from secp256k1 to ed25519. Replacement for the 2-year-old xrpl.js#2658.
xrpl.js: Sponsorship (XLS-68) (xrpl.js#3238, +3,851/−34, 36 files) — Adds SponsorshipSet, SponsorshipTransfer types, and sponsor signing utilities. Under active review.
xrpl-py: Collection of bug fixes (xrpl-py#993, +124/−12) — Four fixes addressing silent data corruption and secret-material leakage. Addresses #948, #987, #992, #986.
Developer portal: Redocly 0.132.0 upgrade and cleanup (xrpl-dev-portal#3617, +812/−8,172, 58 files) — Removes unused code samples, fixes 10 broken redirects, and resolves security alerts.
Developer portal: MPT DEX Integration docs (XLS-82) (xrpl-dev-portal#3537, +562/−110, 30 files) — Updates concept and reference docs. JSON examples still need real transaction data.
XRPL-Standards: Proof naming update (XRPL-Standards#518) — Aligns Confidential Transfer spec proof names with the optimized proof PR that merged this week.
XRPL-Standards: Float host functions and versioning (XRPL-Standards#504, +308/−15) — Adds six new host functions and versioning rules. 35 review rounds, active discussion on design.
opensource.ripple.com: Sponsored Fees tutorials — Active branch sponsored-fees-tutorials with work in progress.
Massive SDK security audit — Collaborator @ckeshava conducted a comprehensive security and correctness audit, opening 40+ issues in xrpl.js and 30+ in xrpl-py. Topics range from private key material leaking in error messages (xrpl.js#3322, xrpl-py#987), to an off-by-one in compare() that skips the last byte (xrpl.js#3320), to Amount.toJSON() mutating its internal buffer (xrpl.js#3278, xrpl.js#3319). Most are rated low severity. Many include adversarial review notes explaining whether the finding is confirmed or disproved. A companion fix PR was opened for xrpl-py (xrpl-py#993).
Community contributions to rippled — Community member @mvanhorn's oracle deduplication fix (rippled#6586) merged after multiple rounds of review. Community member @elmurci submitted the bootstrapping hub removal (rippled#6956). Community member @favsidv opened post-quantum readiness tests (rippled#6971). Community member @SAY-5 contributed a dead code removal (rippled#6968).
Attackathon false positives — Eight issues filed by @TheBlondeNado exploring attack vectors across Batch, Confidential Transfers, Sponsored Fees, and Permission Delegation were all triaged as false positives by @mvadari, with detailed explanations of why each attack premise doesn't hold.
xrpl.js community PRs — Community member @slurpyone continues to contribute: APIv2 LedgerResponseExpanded type fix (xrpl.js#3209), wallet algorithm property (xrpl.js#3220), currency name conversion utilities (xrpl.js#3223), enhanced parseTransactionFlags (xrpl.js#3224), and deprecated function replacements (xrpl.js#3221).
Self-service faucet proposal — @mDuo13 proposed that xrpl.js's client.fundWallet() should auto-detect networks without a faucet and fund from the genesis account (xrpl.js#3275).
Compared to last week (April 6–12, 2026):
| Metric | This Week | Last Week | Change |
| Repos with activity | 7 | 8 | ↓1 |
| rippled PRs merged | 22 | 37 | ↓15 |
| rippled PRs opened | 14 | 25 | ↓11 |
| rippled commits | 10 | 13 | ↓3 |
| rippled new issues filed | 0 | 49 | ↓49 |
| xrpl-dev-portal PRs merged | 12 | 13 | ↓1 |
| xrpl-dev-portal PRs opened | 10 | 10 | flat |
| xrpl-dev-portal commits | 9 | 12 | ↓3 |
| xrpl.js PRs merged | 0 | 26 | ↓26 |
| xrpl.js PRs opened | 14 | 14 | flat |
| xrpl.js new issues filed | 40 | 0 | ↑40 |
| xrpl-py PRs merged | 0 | 1 | ↓1 |
| xrpl-py PRs opened | 3 | 4 | ↓1 |
| xrpl-py new issues filed | 30 | 0 | ↑30 |
| XRPL-Standards PRs merged | 0 | 3 | ↓3 |
| XRPL-Standards PRs opened | 3 | 2 | ↑1 |
| clio PRs merged | 7 | 2 | ↑5 |
| clio PRs opened | 2 | 2 | flat |
| clio commits | 7 | 2 | ↑5 |
| xrpl4j PRs merged | 0 | 0 | flat |
| xrpl4j PRs opened | 0 | 3 | ↓3 |
| opensource.ripple.com PRs merged | 0 | 4 | ↓4 |
| Releases | 1 | 1 | flat |
Notable carryovers: The tutorials landing page v2 (xrpl-dev-portal#3572) and the Claude Code release notes skill (xrpl-dev-portal#3574) were "In Progress" last week and merged this week. The LoanPay assertion fix (rippled#6231) and online delete pause (rippled#5531) also carried over from last week. The week was notably quieter in rippled merges (22 vs. 37) following last week's Attackathon surge. However, the massive SDK security audit shifted activity toward xrpl.js and xrpl-py issue filing. Clio saw increased merge activity (7 vs. 2) from batched CI dependency updates. No xrpl.js PRs merged this week — a sharp drop from last week's 26, reflecting focus on the audit and review rather than merging.