ward-protocol v0.1.1 · PyPI
XRPLF Discussion #474
api.wardprotocol.org
ward_signed = False
XLS-66 · XLS-70 · XLS-20 · XLS-80
95/95 tests passing
5 Altnet transactions confirmed
PREIMAGE-SHA-256 · EscrowCreate · NFTokenBurn
Ward builds · Institution signs · XRPL settles
ward_signed = False
XLS-66 · XLS-70 · XLS-20 · XLS-80
95/95 tests passing
5 Altnet transactions confirmed
PREIMAGE-SHA-256 · EscrowCreate · NFTokenBurn
Ward builds · Institution signs · XRPL settles
Overview
F·01 Vault
F·02 KYC
F·03 Policy
F·04 Default
F·05 Validate
F·06 Settle
Summary
Open specification · XRP Ledger · XRPLF #474

Default Protection for
XLS-66 Lending Vaults

When a borrower defaults, Ward defines exactly what happens.
Detection. Validation. Settlement. On-chain. Automatic.

ward_signed = False — Ward builds · Institution signs · XRPL settles
F·01 — F·03 · Setup
Vault & Policy
Register vault, anchor KYC on-chain, issue coverage certificate as XLS-20 NFT
F·04 — F·05 · Trigger
Default & Validation
3-ledger confirmation, 9 deterministic checks — all against live XRPL state
F·06 · Settlement
Escrow & Payout
PREIMAGE-SHA-256 locked escrow — only the claimant can release funds
95
TESTS PASSING
15
ATTACK VECTORS
9
VALIDATION CHECKS
0
TIMES WARD SIGNS
F·01
Vault Registration
Institution opens an XLS-66 lending vault on XRPL
Ward Protocol
Builds unsigned VaultCreate
Institution
Signs with own keypair
XRPL
Registers vault on ledger
1
Ward Protocol
Builds unsigned VaultCreate transaction
Ward validates the institution address, collateral type, and minimum ratio. Returns an unsigned transaction ready for signing.
# POST /vaults — Ward builds, never signs
{
  "unsigned_tx_type": "VaultCreate",
  "ward_signed": false, ← always
  "institution_address": "rInst..."
}
2
Institution
Signs transaction with their own XRPL keypair
Ward never sees the private key. Institution signs locally and submits to XRPL.
3
XRPL
Vault registered as XLS-66 ledger object
The vault is now live on the XRPL ledger. Ward's server is no longer involved.
ward_signed = False · confirmed on ledger
F·02
Credential Issuance
KYC hash anchored on-chain via XLS-70 — no raw PII
Ward Protocol
Hashes KYC document
Institution
Signs NFTokenMint
XRPL
Credential lives on ledger
1
Ward Protocol
SHA-256 hashes the KYC document
Ward never stores or transmits raw KYC data. Only the cryptographic fingerprint goes on-chain.
# Raw PII stays with institution
kyc_hash = sha256(kyc_document)
# Only this goes on-chain →
2
Ward Protocol
Builds unsigned NFTokenMint (XLS-70)
Credential NFT with taxon=282. Encodes kyc_hash, kyc_type, and expiry_ledger in the URI.
3
Institution
Signs and submits NFTokenMint
Institution controls the credential. Ward never signs. The credential is bound to the depositor's wallet.
4
XRPL
KYC credential lives on ledger — compliance proven
Regulators can verify compliance by reading the on-chain hash. No raw data exposure.
ward_signed = False · no PII on-chain
F·03
Policy Purchase
Coverage terms locked permanently in XLS-20 NFT URI
Ward Protocol
Builds policy NFT
Institution
Signs NFTokenMint
XRPL
Certificate immutable on ledger
1
Ward Protocol
Builds policy NFT with coverage terms in URI
Coverage amount, expiry, vault address, and premium locked immutably. Nobody can change terms after minting.
NFT URI encodes:
coverage_drops: 10_000_000 (10 XRP)
expiry_ledger: 99_432_100
vault_address: "rVaultXXX..."
taxon: 281 · flags: TF_BURNABLE only
2
Institution
Signs and mints policy NFT
Non-transferable by design — tfTransferable flag deliberately omitted. Policy permanently bound to depositor.
3
XRPL
Policy certificate confirmed · terms immutable forever
Coverage terms are now on-chain. No counterparty can modify or cancel them. Depositor holds the NFT in their own wallet.
ward_signed = False · non-transferable · immutable
F·04
Default Detection
3 consecutive ledger closes required — no false triggers
XRPL
Live vault health data
Ward Protocol
Monitors + confirms
Ward Protocol
Emits verified default
1
XRPL
Borrower collateral drops below 1.5× loan value
VaultMonitor subscribes to live XRPL WebSocket stream. lsfLoanDefault flag detected on Loan ledger object.
2
Ward Protocol
Waits for 3 consecutive ledger close confirmations
Approximately 12 seconds. Prevents false positives from flash crashes, oracle noise, or network hiccups.
DEFAULT_CONFIRM_COUNT = 3
# single bad block cannot trigger payout
# 3 × ~4s ledger close = ~12s confirmation window
3
Ward Protocol
Re-fetches Loan object from live ledger to confirm
Even after 3 confirms, Ward independently re-reads the ledger object. Events are hints only — the ledger is truth.
4
Ward Protocol
Verified default event emitted — claim window opens
Anomaly detection running in parallel: 5+ defaults from same vault in 5 minutes triggers alert callback.
ward_signed = False · no oracle · XRPL is truth
F·05
Claim Validation
9 deterministic checks · all against live XRPL state · no human judgment
Ward Protocol
Runs 9 checks
XRPL
Source of truth for all checks
Ward Protocol
Returns pass or reject
9
Ward Protocol · ClaimValidator
All 9 checks must pass — any failure rejects the claim
Every check reads live XRPL ledger data. No oracle. No off-chain data. No human override.
CHECK 01
Policy NFT exists on ledger
CHECK 02
Policy unexpired
CHECK 03
Vault address matches
CHECK 04
Default confirmed × 3
CHECK 05
Collateral provably breached
CHECK 06
No escrow pending
CHECK 07
KYC credential valid
CHECK 08
Domain authorized
CHECK 09
Rate limit clear
F·06
Escrow Settlement
PREIMAGE-SHA-256 · Ward never sees the preimage · 48h dispute window
Ward Protocol
Builds EscrowCreate (condition only)
Institution
Signs and submits
XRPL
Enforces — Ward irrelevant
1
Ward Protocol
Receives condition_hex — never the preimage
Claimant generates their own secret preimage offline. Ward only receives sha256(preimage). This means Ward itself cannot front-run the payout.
# Claimant keeps preimage secret
preimage = os.urandom(32)
condition_hex = sha256(preimage)
# Ward receives condition_hex only ↑
2
Ward Protocol
Builds unsigned EscrowCreate · +48h dispute window
Funds locked by cryptographic condition AND time lock. Institution signs this. Ward never signs.
Payout amount
10 XRP
Locked by
PREIMAGE-SHA-256
Destination
Claimant
FinishAfter: +48h · CancelAfter: +72h · ward_signed = false
3
Institution
Signs EscrowCreate · Ward's server now irrelevant
After the institution signs and submits, Ward's server could go offline permanently. XRPL enforces the escrow on its own schedule.
4
XRPL
After 48h · Claimant reveals preimage → funds released
EscrowFinish requires the preimage. Only the claimant holds it. Nobody can front-run.
5
XRPL
Policy NFT burns atomically — replay impossible
NFT disappears from account_nfts. Any future claim attempt fails Check 01 immediately.
ward_signed = False · settlement complete · NFT burned
Ward builds.
Institution signs.
XRPL settles.
ward_signed = False — always · Open specification · XRPLF Discussion #474
F·06
flows
9
validation checks
0
times Ward signs
server uptime required
wardprotocol.org Protocol Spec Swagger UI GitHub XRPLF #474
Auto-play