Skip to content

rippled backport of nestedsig#3

Open
RichardAH wants to merge 15 commits intodevelopfrom
nested-multi-sign-rippled
Open

rippled backport of nestedsig#3
RichardAH wants to merge 15 commits intodevelopfrom
nested-multi-sign-rippled

Conversation

@RichardAH
Copy link
Owner

@RichardAH RichardAH commented Feb 11, 2026
edited
Loading

NestedMultiSign Amendment

Note: this is a back port of Xahau/xahaud#675 to Xrpld. It may need further attention to ensure compatibility with Xrpld-only features.

Overview

This amendment introduces nested multi-signature validation, allowing signer lists to delegate signing authority to other accounts that themselves have signer lists. This enables hierarchical organizational structures where, for example, a company account can require signatures from department accounts, which in turn require signatures from authorized individuals.

Key Features

Hierarchical Signing (up to 4 levels deep)

  • Signers can now delegate to their own signer lists rather than providing a direct signature
  • Enables corporate governance structures: Company → Departments → Teams → Individuals
  • Each level validates against its own signer list and quorum requirements
  • Weight is only contributed to the parent level when a signer's own quorum is satisfied

Cycle Detection & Quorum Relaxation

  • Detects circular dependencies in signer list configurations (e.g., A→B→A)
  • Prevents permanent fund lockout when accounts accidentally create cyclical signer relationships
  • When a cycle makes certain signers unavailable, the effective quorum is relaxed to the maximum achievable weight
  • Accounts with effectiveQuorum == 0 (all signers cyclic) correctly fail with tefBAD_QUORUM

Transaction Structure

Nested signers are represented by including an sfSigners array instead of sfSigningPubKey/sfTxnSignature:

{
  "Signers": [{
    "Signer": {
      "Account": "DepartmentA",
      "Signers": [{
        "Signer": {
          "Account": "Employee1",
          "SigningPubKey": "...",
          "TxnSignature": "..."
        }
      }]
    }
  }]
}

Validation Rules

  • Maximum nesting depth: 4 levels
  • Signers at each level must be in strict ascending order (consensus requirement)
  • A signer entry cannot have both nested signers AND signature fields
  • Leaf signers must provide valid SigningPubKey and TxnSignature
  • Each level's accumulated weight must meet its quorum (or relaxed quorum if cycles exist)

Error Codes

Code Condition
tefBAD_SIGNATURE Depth limit exceeded, invalid signer, or malformed signer entry
tefBAD_QUORUM Insufficient weight to meet quorum, or all signers are cyclic
tefNOT_MULTI_SIGNING Nested signer account has no signer list configured
tefMASTER_DISABLED Leaf signer's master key is disabled
tefINTERNAL Invariant violation (should never occur)

Backward Compatibility

When featureNestedMultiSign is disabled, nested signer arrays are rejected with temMALFORMED, preserving existing behavior.

RichardAH and others added 13 commits February 10, 2026 12:44
@RichardAH
rippled backport of nestedsig
0b5220b
@sublimator
fix: transplant nested multi-sign review fixes from xahaud
4587a2d 
Transplant 3 xahaud review-fix commits (dbd5903e8, 23fd210e2, 8d9a38e44)
on top of the initial rippled backport (0b5220b).

- Add shared helper functions (isLeafSigner, isNestedSigner,
  isValidSignerEntry, countPresentFields) and depth constants
  (nestedMultiSignMaxDepth, legacyMultiSignMaxDepth) to STTx.h
- Rewrite Transactor::checkMultiSign with recursive validation,
  cycle detection via ancestors set, and cyclic lockout relaxation
- Update calculateBaseFee with depth guard and helper usage
- Refactor STTx.cpp multiSignHelper to use helpers and add
  malformed signer entry detection
- Replace TransactionSign.cpp signer validation with recursive
  validateSignersRecursive using helpers
- Add test_countPresentFields unit test and nested fee calculation
  test cases (Test Cases 16-17)
- Update STTx_test.cpp for optional sfSigningPubKey with
  validation-layer helper checks
- Fix feature-disabled test expectation (telENV_RPC_FAILED)
@sublimator
chore: clang-format nested multi-sign files
5656f0c
@sublimator
Merge remote-tracking branch 'origin/develop' into nested-multi-sign-…
122eee7 
…rippled
@sublimator
Merge remote-tracking branch 'origin/develop' into nested-multi-sign-…
0fb2a1b 
…rippled
@sublimator
fix: address codex review findings for nested multi-sign
c71e2a1 
- fix nested signer array bounds check using wrong variable (signers vs
  signersArray) in STTx.cpp multiSignHelper
- move auth check before cyclic skip in Transactor.cpp so unauthorized
  cyclic signer entries are rejected instead of silently ignored
- add tests for nested array cardinality (empty/oversized)
- add tests for unauthorized vs authorized cyclic signer entries
@sublimator
[DROP] fix: only link gcov for GCC in CodeCoverage.cmake
eec6619
@sublimator
test: add nested multi-sign edge case tests
2fe59af 
Add testNestedMultiSignEdgeCases with 10 tests targeting uncovered
code paths across the three validation layers: multiSignHelper
(depth overflow, corrupt pubkey, malformed entries, unsorted signers),
Transactor::checkMultiSign (fee calculation, non-phantom signers,
cyclic quorum), and transactionSubmitMultiSigned (RPC shape and depth
validation). Includes a direct checkSign test for the depth-exceeded
path using manually-constructed STObjects.
@sublimator
fix: address pre-commit hook failures (cmake-format, cspell)
deb9145
@sublimator
feat: enforce max leaf signer cap for nested multi-sign
3cbe8b9 
Add nestedMultiSignMaxLeafSigners (64) to bound worst-case signature
verification cost. The leaf counter in multiSignHelper increments
before each verify() call and rejects with "Too many leaf signers."
when exceeded. Only enforced when featureNestedMultiSign is enabled.

Tests: leaf cap exceeded (65 leaves → temMALFORMED) and at-cap
succeeds (64 leaves via 2×32 nested tree → tesSUCCESS).
@sublimator
fix: leaf cap test expects telENV_RPC_FAILED for local check failure
e3e43ae 
checkSign rejects >64 leaves before the transaction enters the
engine, so env() cannot extract a TER code and returns
telENV_RPC_FAILED rather than temMALFORMED.
@sublimator
fix: restore XRPL_ASSERT for signer list invariants in checkMultiSign
82bb000 
Plain assert is compiled out in release builds, dropping these
consensus-critical invariant checks in production.
@RichardAH
rippled backport of nestedsig
e45514f
@RichardAH RichardAH force-pushed the nested-multi-sign-rippled branch from 0b5220b to e45514f Compare February 13, 2026 04:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RichardAH @sublimator