According to Wietse Wind, lead developer of XRPL Labs, a setting that could allow malicious actors to abuse NFTs has already been discovered.
The NFT’s activation on Ripple’s XRP ledger will have to be further delayed as Wietse Wind, the lead developer of XRPL Labs temporarily withdrew his vote in favor of the 9/11 release.
An explainer 🧵 on the recent finding that a simple 'flag' (setting) on minted NFT's can be abused, causing NFT issuers to get all their XRP locked up due to actions of third parties.
Because of this finding, I have removed the "yay" vote of the @XRPLLabs validator. Temporarily.
— WietseWind – 🛠 XUMM @ XRPL Labs (@WietseWind) September 11, 2022
He added that the vulnerability could also result in XRP’s NFT issuers being “locked out due to the actions of third parties.”
Basically, the problem is the collection of royalties for minted NFTs. Typically, the issuer will receive a percentage on each secondary NFT sale. But the XRPL requires the issuer to have a Trust line.
But the sale can occur without the issuer’s knowledge, and in that case, it is imperative to lock the reserve account.
“An NFT was once minted and sent/sold with lsfTrustLine. Transfer fees can then be sold back and forth between two or more of the attacker’s accounts, causing more and more Trust Lines to be created to retrieve random shitcoins issued by the attacker.”
Wind said now that means the XLS-20 modification could lose much of it. However, he said this was the best thing and would give time to rectify the issue and vote again.
Wind revealed that the bug was identified by xTokenize.
The withdrawal of that critical vote from the XLS-20 amendment means that plans to upgrade the XRPL to make NFT minting will have to wait further. According to Wind, this for xls20 is not “goodbye”, but “see you again”.
