fix permission delegation vulnerability

[yinyiqian1]

• New Amendment: Introduces the featurePermissionDelegationV1_1 amendment.

• Amendment Replacement: This new amendment is designed to supersede both featurePermissionDelegation and fixDelegateV1_1, which should be considered deprecated.

• Error Code Correction: The checkPermission function will now return terNO_DELEGATE_PERMISSION when a delegate transaction lacks the necessary permissions.

High Level Overview of Change

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Performance (increase or change in throughput and/or latency)
• Tests (you added tests for code that already exists, or your new feature included in this PR)
• Documentation update
• Chore (no impact to binary, e.g. .gitignore, formatting, dropping support for older tooling)
• Release

API Impact

• Public API: New feature (new methods and/or new fields)
• Public API: Breaking change (in general, breaking changes should only impact the next api_version)
• libxrpl change (any change that may affect libxrpl or dependents of libxrpl)
• Peer protocol change (must be backward compatible or bump the peer protocol version)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.3%. Comparing base (cbbb2b1) to head (0f9aedc).
⚠️ Report is 159 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff            @@
##           develop   #5825     +/-   ##
=========================================
- Coverage     78.3%   78.3%   -0.0%     
=========================================
  Files          817     817             
  Lines        69016   69003     -13     
  Branches      8320    8322      +2     
=========================================
- Hits         54038   54023     -15     
- Misses       14978   14980      +2     

Files with missing lines	Coverage Δ
include/xrpl/protocol/TER.h	100.0% <ø> (ø)
include/xrpl/protocol/detail/transactions.macro	100.0% <ø> (ø)
src/libxrpl/protocol/Permissions.cpp	100.0% <100.0%> (ø)
src/libxrpl/protocol/TER.cpp	100.0% <ø> (ø)
src/xrpld/app/misc/detail/DelegateUtils.cpp	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/DelegateSet.cpp	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/MPTokenIssuanceSet.cpp	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/MPTokenIssuanceSet.h	100.0% <ø> (ø)
src/xrpld/app/tx/detail/Payment.cpp	93.8% <100.0%> (+0.1%)	⬆️
src/xrpld/app/tx/detail/Payment.h	100.0% <ø> (ø)
... and 7 more

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mvadari]

@yinyiqian1 there are some merge conflicts here

[mvadari]

Blocked on waiting for the 3.0 release, will be merged after

[bthomee]

Since the 3.0.0 release branch has already been cut, we can go ahead and merge this one.

[bthomee]

/ai-review

[xrplf-ai-reviewer]

Multiple permission delegation security and correctness issues found in transaction handling.

Review by Claude Opus 4.6 · Prompt: V12

[xrplf-ai-reviewer]

AccountDelete feature guard changed - verify delegation behavior across feature boundary:

[yinyiqian1]

In the latest develop branch, featureDeletableAccounts has been removed, so this is no longer a concern.

[xrplf-ai-reviewer]

👍

[xrplf-ai-reviewer]

Permission-denied transactions now return ter instead of tec - prevents fee-free spam:

[yinyiqian1]

We intended to use NotTEC, because this is called before checkSign

[xrplf-ai-reviewer]

Good point — since this is called before checkSign, using NotTEC (a ter code) is correct here. ter results are retried rather than applied to the ledger, which makes sense for a pre-signing permission check. Thanks for the clarification; I'll update my understanding. This is the right approach.

[xrplf-ai-reviewer]

Semantic mismatch: ter error suggests retry when permission failures are permanent. Add client documentation:

[yinyiqian1]

This is a duplicate comment(the same as the next one), #6675

[xrplf-ai-reviewer]

Thanks for pointing that out! You're right that this is a duplicate of the same concern raised in the linked comment. I'll defer to the discussion in that thread to avoid redundancy.

[xrplf-ai-reviewer]

Deprecated error code lacks clear reclamation path. Add tracking mechanism:

[yinyiqian1]

The comment is sufficient

[xrplf-ai-reviewer]

A comment alone doesn't provide a structured tracking mechanism for deprecation. In a production blockchain protocol like rippled, deprecated error codes need careful lifecycle management to avoid breakage in client integrations. Consider at minimum adding a // TODO(deprecation): Remove after featurePermissionDelegationV1_1 is in majority style comment with a concrete removal condition, or tracking it in the project's issue tracker. A plain "deprecated" comment doesn't signal when or how the code will be removed.

[yinyiqian1]

#6675

[xrplf-ai-reviewer]

👍

[xrplf-ai-reviewer]

Permission-denied payment transactions return ter, enabling potential fee-free transaction spam:

[yinyiqian1]

We intended to return NotTEC, because this is returned before the checkSign.
pre-sign checks must be NotTEC to prevent fee extraction without key ownership.

[xrplf-ai-reviewer]

Good point — returning NotTEC before checkSign is the correct behavior to prevent fee extraction without key ownership. Thanks for the explanation. My concern was misplaced here since the normal spam protection applies: without a valid signature, the transaction won't get through the network in the first place. I'll withdraw my original concern.

[xrplf-ai-reviewer]

MPT payment authorization logic expanded without explicit guard:

[yinyiqian1]

false alarm: PaymentMint and PaymentBurn apply to both IOU and MPT direct payments.
Authorization logic is in doApply.

[xrplf-ai-reviewer]

👍

[xrplf-ai-reviewer]

Fee check moved after permission validation - potential DoS vector with fee-free invalid submissions:

[yinyiqian1]

We intended to group the NotTEC functions together.

[xrplf-ai-reviewer]

LCOV_EXCL_LINE suppresses coverage on security-critical null check. Add explicit unit tests:

[yinyiqian1]

#6675

[xrplf-ai-reviewer]

Thanks for the reference! That PR #6675 appears to add the unit tests for this security-critical path. Once those tests are in place, the LCOV_EXCL_LINE suppression would be justified. Could you confirm that PR #6675 covers the null check at line 28 specifically, and that it will be merged alongside or before this change?

[yinyiqian1]

The test case in #6675 is used to cover the if (!delegate) null check path in DelegateUtils.cpp:

void
    testDelegateUtilsNullptrCheck()
    {
        testcase("DelegateUtils nullptr check");

        // checkTxPermission nullptr check
        STTx const tx{ttPAYMENT, [](STObject&) {}};
        BEAST_EXPECT(checkTxPermission(nullptr, tx) == terNO_DELEGATE_PERMISSION);

        // loadGranularPermission nullptr check
        std::unordered_set<GranularPermissionType> granularPermissions;
        loadGranularPermission(nullptr, ttPAYMENT, granularPermissions);
        BEAST_EXPECT(granularPermissions.empty());
    }

[xrplf-ai-reviewer]

👍

[xrplf-ai-reviewer]

Permission-denied MPTokenIssuanceSet transactions return ter, enabling potential fee-free transaction spam:

[yinyiqian1]

We intended to use NotTEC, because this is called before checkSign

[xrplf-ai-reviewer]

Thanks for the context! You're right that NotTEC (a TER result) is appropriate here when called before checkSign, since the transaction hasn't been signed yet and fee charging hasn't been determined. Returning a TER at this stage is the correct pattern to avoid charging fees for transactions that fail early validation. I'll withdraw my concern.

[xrplf-ai-reviewer]

Test case silently drops validation of a failed inner Batch transaction

The test previously validated that the second inner transaction in a Batch (jv2, seq+2) was recorded in the ledger with tecNO_DELEGATE_PERMISSION. After changing to terNO_DELEGATE_PERMISSION, the validation entry is simply removed. The absence of any assertion means the test no longer explicitly verifies what happens to the second inner transaction.

Suggested fix: Add an explicit assertion that the second inner transaction is NOT present in the closed ledger to preserve test coverage for the 'permission denied inside a Batch' path.

[yinyiqian1]

#6675 added:

std::vector<TestLedgerData> testCases = {
                {0, "Batch", "tesSUCCESS", batchID, std::nullopt},
                {1, "TrustSet", "tesSUCCESS", txIDs[0], batchID},
                // jv2 fails with terNO_DELEGATE_PERMISSION.
            };
            validateClosedLedger(env, testCases);

            // verify jv2 is not present in the closed ledger.
            BEAST_EXPECT(
                env.rpc("tx", txIDs[1])[jss::result][jss::error] ==
                "txnNotFound");

[xrplf-ai-reviewer]

👍

[yinyiqian1]

The AI comments are addressed in a separate PR: #6675
The remaining comments appear to be false alarms.