The fallout from the XRP Ledger’s BatchGate scare is turning into a broader argument about who is actually responsible for protocol safety and how much scrutiny major amendments should face before they get anywhere near mainnet. In a statement published Monday, longtime validator operator Daniel Keller said the near-miss around XLS-56 exposed “a systemic failure in review processes” and prompted him to withdraw support for all amendments currently under consideration.
Keller’s post was framed as a clarification of what dUNL validators are supposed to do, after what he described as widespread confusion following the Batch incident. His central point was that validators are governance participants, not unpaid auditors. “The role of dUNL validators is specific and limited: We coordinate the activation (or rejection) of amendments by casting ‘Yay’ or ‘Nay’ votes once an amendment is proposed,” he wrote. “We are supposed to judge pending amendments. That is our primary governance function.”
That distinction matters because XLS-56, also known as Batch, was halted only after a logic flaw in signature validation was uncovered shortly before mainnet activation. The bug could have enabled unauthorized transaction execution and potentially put billions in XRP at risk before the amendment was paused and patched in rippled 3.1.1.
XRP Ledger Governance Concerns, With Ripple in Focus
For Keller, the episode was not an isolated mistake but the latest example of a deeper structural problem. “The dUNL is not a free code-review or protocol-auditing body. Expecting validators to spend dozens of unpaid hours reviewing complex amendment code was never part of the design and never will be,” he wrote. “Instead, parties proposing amendments should be required to deliver comprehensive documentation, test suites, security analyses, and formal proofs upon request. If you want my vote, prove the change is safe and beneficial.”
He argued that the burden now falls on Ripple to fund that process more aggressively. “I will not vote in favour of any future amendments until Ripple makes a credible, concrete commitment to substantially increase investment in XRPL core protocol engineering, security review, and long-term sustainability,” Keller said. “If XRP is truly Ripple’s ‘North Star,’ as repeatedly stated, then the network’s foundational security and decentralisation must receive the attention and resources they deserve.”
Keller’s immediate response was blunt: withdraw all current “Yay” votes, except for pending fixes, and refuse to upgrade to rippled 3.1.1 unless staying on the earlier version risks removal from the network. He also said the fact that an independent researcher and an AI tool were ultimately needed to prevent harm underscored how thin the current safety net has become.
Other prominent XRPL voices agreed that the process needs to change, though not all backed a slowdown. Vet, a well-known XRPL validator, called the Batch incident “a massive opportunity” for the community and the XRPL Foundation to rethink how the protocol evolves. He argued for a slower amendment schedule, more paid reviews, multiple audits for larger changes, “attackathons” on testnet, and a bug bounty program big enough to attract elite researchers.
Keller, however, pushed back on the idea that the answer is simply to move slower. “In the short term, we need some sort of agreement with Cantina. They have proven themself and it’s the best we have right now,” he wrote. “Mid-term, the bug bounties need to be elevated and pay serious money. First, people need to be incentivised to look at the code; second, it must pay off to do a responsible disclosure.”
He went further in a follow-up that captured the mood of the debate: “I do not want to slow down our dev speed; it took us years to get to the current level, and we are still slow. More resources need to be allocated, and the process needs to start yesterday.”
That leaves the XRP Ledger in a tense but familiar place: a network trying to add functionality without compromising the credibility of its base layer. BatchGate did not become a live exploit. But it did force a sharper question into the open, whether XRPL’s amendment pipeline is still operating with enough review depth for the scale of change now being proposed.
At press time, XRP traded at $1.3566.
