author
Ahmed Barakat
author
Share
David Schwartz, co-founder of XRP Ledger and Ripple CTO Emeritus, proposed a two-component transaction reservation mechanism to address the risks of frontal attack and sandwich attack on XRPL’s native DEX and AMM.
The proposal, which emerged in response to concerns raised by XRP-focused analytics account XRPresso.io, offers priority execution guarantees for users willing to pay holding fees, a market integrity measure of immediate importance as institutional flows into XRP products continue to expand.
The proposal is currently under community discussion and has not been formalized as a network modification. This distinction is important: In the XRP Ledger, protocol changes require a supermajority of validators to vote in favor before activation, meaning Schwartz’s design carries weight but faces a specific governance process before it reaches the mainnet.
Discover: The best advance token sales
How the Ripple XRP ReservedTxns mechanism actually works
The scheme introduces two new components to the protocol. The first is the ReservedTxns ledger object, which stores the target ledger sequence number and an array of up to 32 transaction IDs.
When this particular ledger is executed, any listed transactions that are in the consensus set are processed first, before all other transactions, after which the object is deleted. The second component is the TxnReserve transaction type, which allows the user to claim a priority slot for one or more future transactions by submitting a reservation before the target ledger closes.
There are three restrictions governing TxnReserve: the reservation fee must be at least double the standard transaction fee; The target ledger must fall within 16 books of the current ledger; The actual transaction must set its LastLedgerSequence to match the reserved ledger.
These rules are not accidental, they determine the economic cost of using the system and the narrow time window in which it operates. The 16-book cap keeps reservations tightly coupled to near-term execution, preventing the mechanism from being used as a tool for general-purpose queue games.
DoS protection is integrated through dynamic fee scaling: when reserve slots fill up beyond 16 slots, fees escalate, reaching several multiples of the base reserve near 30 slots. Schwartz also specified that the XRPL server software would hold reserved transactions and release them only when the prior ledger proposals were close to being known, compressing the pre-execution visibility window.
“This ensures that you can execute your transaction before any transaction formed after your transaction is disclosed,” Schwartz said. “You can use this approach any time you want to make a transaction that you want to ensure cannot be placed or executed previously.”
The XRPL forward operating problem that Schwartz solves
XRPresso’s concerns focus on a structural feature of the XRP Ledger: pending transactions are placed in a publicly visible queue before the ledger is closed, giving validators and well-connected nodes advance visibility into incoming trades.
Since the underlying transaction demand on XRPL is determined by a well-known deterministic formula that includes transaction hashes, a sophisticated actor can repeatedly send similar transactions to increase the probability of landing in a favorable slot relative to the target trade, which is the mechanical basis of a sandwich attack on a DEX or AMM.
Schwartz admitted the exposure but objected to the framing. He said that all participants have equal access to the public queue, and that auditors gain no structural organizational advantage unless several of them conspire.
“If multiple auditors conspired, or one auditor attempted to do this, it would be very clear to everyone exactly who was doing it,” he said, adding that such an attempt had not been confirmed outside of a proof of concept.
He also pointed out a practical constraint on profitability: extracting meaningful value requires simultaneously high liquidity (to generate volume worth targeting) and low liquidity (to move the price at a manageable cost), a combination that rarely exists in XRPL.
This argument has not entirely satisfied critics, but it distinguishes XRPL’s current risk profile from Ethereum’s historically active MEV environment.
The debate in DeFi is not limited to the XRP ecosystem. Binance co-founder Changpeng Zhao proposed a dark pool perpetuating a DEX last year using zero-knowledge cryptography to hide order data until execution, an approach that drew its own criticism from decentralization advocates who argued it recreated the information asymmetry that cryptography was designed to eliminate.
XRPresso made a similar argument in response to Schwartz, arguing that targeted secrecy of details of pending transactions would be a cleaner long-term solution than a layer of booking fees, and pointed to implementations already in place on competing chains.
Don’t miss your chance to get a $1000 Airdrop on ByBit
