Skip to content

XLS-64d pseudo-account #274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+94 −0
Open

XLS-64d pseudo-account #274

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 94 additions & 0 deletions XLS-0064d-pseudo-account/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
<pre>
Title: <b>Pseudo-Account</b>
Type: <b>draft</b>
Revision: <b>1</b> (2025-03-04)

<hr> Authors:
<a href="mailto:[email protected]">Vytautas Vito Tumas</a>

Affiliation:
<a href="https://ripple.com">Ripple</a>
</pre>

# Pseudo-Account

## _Abstract_

In this document, we propose a standard for a _pseudo-account_, an `AccountRoot` object that can be associated with one or more other ledger entries to hold and/or issue assets on behalf of the associated entries.

## 1. Introduction

The XRP Ledger is an account-based blockchain in which assets—such as XRP, IOUs, or MPT—can only be held by an account represented by an `AccountRoot` ledger entry. However, certain use cases, such as Automated Market Makers (AMM), Single Asset Vaults, and the Lending Protocol—require assets to be transferable to and from an object.

The [XLS-30](https://github.com/XRPLF/XRPL-Standards/tree/master/XLS-0030-automated-market-maker#readme) specification introduced the `AMMID` field in the `AccountRoot` ledger entry. This field associates a _pseudo-account_ with an `AMM` instance, allowing it to track XRP and token balances in the pool and issue `LPTokens` on behalf of the `AMM` instance.

This specification formalises the requirements for an `AccountRoot` when used as a _pseudo-account_. Specifically, it defines:

- A set of flags that must be enabled.
- A naming convention for the field identifying the object the `AccountRoot` is associated with.
- Minimum requirements for any protocol implementing a _pseudo-account_.

## 2. Ledger Entries

### 2.1. `AccountRoot` Ledger Entry

#### 2.1.1. Object Identifier

The address of the `AccountRoot` must be randomised to prevent users from identifying and funding the address before its creation. The protocol that creates an `AccountRoot` must ensure the account address is unoccupied.

The unique ID of the **`AccountRoot`** object, a.k.a. **`AccountRootID`** is computed as follows:

- for (i = 0; i <= 256; i--)
- Compute `AccountRootID` = `SHA512-Half`(i || [Parent Ledger Hash](https://xrpl.org/ledgerhashes.html) || `<Object>ID>`)
- If the computed `AccountRootID` exists, repeat
- else, return `AccountRootID`

#### 2.1.2. Fields

| Field Name | Modifiable? | Required? | JSON Type | Internal Type | Default Value | Description |
| ------------ | :---------: | :-------: | :-------: | :-----------: | :-----------: | :---------------------------------------------------------------------------------------------------------- |
| `<Object>ID` | `N/A` | `no` | `string` | `HASH256` | `N/A` | The object identifier the `pseudo-account` is associated with. |
| `Flags` | `no` | `yes` | `number` | `UINT32` | `N/A` | A set of flags that must be set for a `pseudo-account`. |
| `Sequence` | `no` | `yes` | `number` | `UINT32` | `0` | The sequence number of the `pseudo-account`. |
| `RegularKey` | `no` | `yes` | `string` | `ACCOUNTID` | `N/A` | The address of a key pair that can be used to sign transactions for this account instead of the master key. |

##### 2.1.2.1. `<Object>ID`

The `<Object>ID` field uniquely identifies the ledger entry associated with an account. Any protocol introducing a `pseudo-account` must include a new, optional `<Object>ID` field.

The naming convention for this field follows these rules:

- `<Object>` represents the name of the related object:
- All letters must be capitalised if the name is an acronym (e.g., `AMM`).
- Otherwise, capitalise the first letter of each noun (e.g., `Vault` or `LoanBroker`).
- `ID` must always be appended as a suffix.

##### 2.1.2.2. `Flags`

The following flags must be set for a `pseudo-account`:

| Flag Name | Flag Value | Modifiable? | Description |
| ------------------ | :--------: | :---------: | :---------------------------------------------------------------------------------------: |
| `lsfDisableMaster` | `0x01` | `No` | Ensure that no one can control the account directly and send transactions on its behalf. |
| `lsfDepositAuth` | `0x001` | `No` | Ensure that the only way to add funds to the account is by using a `deposit` transaction. |



##### 2.1.2.3. `Sequence`
The `Sequence` number of a` _pseudo-account_` **must** be `0`. A _pseudo-account_ cannot submit valid transactions.

##### 2.1.2.4. `RegularKey`
A _pseudo-account_ **must not** have a `RegularKey` set.

#### 2.1.3. Cost

A transaction that creates a `pseudo-account` must incur a higher-than-usual transaction fee to deter ledger spam. Additionally, the transaction must destroy at least the incremental owner reserve amount, currently `2 XRP`.
Comment on lines +83 to +85
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think section "2.1.3 Cost" should be updated to say something like:

A pseudo-account must increase the owning / controlling account's reserve by 1 in addition to any increases required by the creation of other objects. A transaction that creates a pseudo-account that is not owned or controlled by the creating account must incur a higher-than-usual transaction fee to deter ledger spam, and must destroy at least the incremental owner reserve amount, currently 0.2 XRP.

I believe this spec was written based on the experiences with AMM.

From #240 (comment)

AMMCreate doesn't increase anyone's owner count, partly because the object isn't owned by anyone once it's created, but that's the point - the fee is partly high because there's no one to require a reserve from.

In the case of other objects like Vault or LoanBroker where there is an account that effectively owns and controls the created-pseudo-account I think it makes way more sense to increase the owner count by 2 (1 for the pseudo-account, and 1 for the vault or broker object), and charge a normal transaction fee.

As a ledger object, there is nothing special or unusual about a pseudo-account if it has a single, defined owner. It's not unusually large. It doesn't function independently. It's just needed as a placeholder to allow other objects to work properly.

(Copied from #191 (comment))


#### 2.1.4. Invariant

The following invariants **must** hold for a _pseudo-account_:
- The object identified by `<Object>ID` **must** exist on the ledger.
- Exactly one `<Object>ID` **must** be set (e.g., a _pseudo-account_ cannot have both `AMMID` and `VaultID` at the same time).
- The `lsfDepositAuth` and `lsfDisableMaster` flags **must** be set.
- The `Sequence` number **must** be `0`.
- The `RegularKey` **must not** be set.