You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: XLS-0056-batch/README.md
+32-5Lines changed: 32 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -511,25 +511,52 @@ This standard doesn't add any new field to the [transaction common fields](https
511
511
512
512
This flag should only be used if a transaction is an inner transaction in a `Batch` transaction. This signifies that the transaction shouldn't be signed. Any normal transaction that includes this flag should be rejected.
513
513
514
-
## 4. Security
514
+
## 4. Rationale
515
515
516
-
### 4.1. Trust Assumptions
516
+
The design of batch transactions prioritizes flexibility, security, and backward compatibility with the existing XRP Ledger infrastructure.
517
+
518
+
### 4.1. Multiple Batch Modes
519
+
520
+
Four distinct batch modes (`ALLORNOTHING`, `ONLYONE`, `UNTILFAILURE`, `INDEPENDENT`) were chosen to accommodate a wide range of use cases:
521
+
522
+
-**`ALLORNOTHING`** is essential for trustless swaps and any scenario where partial completion would leave the system in an undesirable state.
523
+
-**`ONLYONE`** enables try-multiple-options patterns, such as submitting offers with different slippage tolerances.
524
+
-**`UNTILFAILURE`** provides a middle ground for sequential operations that can partially succeed.
525
+
-**`INDEPENDENT`** allows for transaction bundling without strict interdependency.
526
+
527
+
Alternatives considered included a simpler single-mode design, but this would have forced users to work around limitations for their specific use cases.
528
+
529
+
### 4.2. Separate Metadata for Inner Transactions
530
+
531
+
Inner transactions are committed separately to the ledger with their own metadata rather than being embedded within the outer transaction's metadata. This design choice ensures backward compatibility with legacy systems that can continue processing transactions without understanding or adding special support for the `Batch` transaction type. A more compact design with nested metadata was considered but rejected due to the extensive changes it would require for existing infrastructure.
532
+
533
+
### 4.3. Transaction Limits
534
+
535
+
The current limit of 8 inner transactions and a minimum of 2 was chosen to balance utility against potential abuse vectors and performance concerns. This limit can be relaxed in future amendments as the community gains experience with how batch transactions are used in practice.
536
+
537
+
### 4.4. Inner Transaction Safety
538
+
539
+
Requiring the `tfInnerBatchTxn` flag, prohibiting signatures, and mandating zero fees on inner transactions creates a clear separation between inner and outer transactions. This prevents inner transactions from being extracted and submitted independently, which would bypass the atomicity guarantees and potentially enable theft in multi-account scenarios.
540
+
541
+
## 5. Security
542
+
543
+
### 5.1. Trust Assumptions
517
544
518
545
Regardless of how many accounts' transactions are included in a `Batch` transaction, all accounts need to sign the collection of transactions.
519
546
520
-
#### 4.1.1. Single Account
547
+
#### 5.1.1. Single Account
521
548
522
549
In the single account case, this is obvious; the single account must approve all of the transactions it is submitting. No other accounts are involved, so this is a pretty straightforward case.
523
550
524
-
#### 4.1.2. Multi Account
551
+
#### 5.1.2. Multi Account
525
552
526
553
The multi-account case is a bit more complicated and is best illustrated with an example. Let's say Alice and Bob are conducting a trustless swap via a multi-account `Batch`, with Alice providing 1000 XRP and Bob providing 1000 USD. Bob is going to submit the `Batch` transaction, so Alice must provide her part of the swap to him.
527
554
528
555
If Alice provides a fully autofilled and signed transaction to Bob, Bob could submit Alice's transaction on the ledger without submitting his and receive the 1000 XRP without losing his 1000 USD. Therefore, the inner transactions must be unsigned.
529
556
530
557
If Alice just signs her part of the `Batch` transaction, Bob could modify his transaction to only provide 1 USD instead, thereby getting his 1000 XRP at a much cheaper rate. Therefore, the entire `Batch` transaction (and all its inner transactions) must be signed by all parties.
531
558
532
-
### 4.2. Inner Transaction Safety
559
+
### 5.2. Inner Transaction Safety
533
560
534
561
An inner batch transaction is a very special case. It doesn't include a signature or a fee (since those are both included in the outer transaction). Therefore, they must be handled very carefully to ensure that someone can't somehow directly submit an inner `Batch` transaction without it being included in an outer transaction.
0 commit comments