Ledger Architecture

← Back to Consensus I: Node, Consensus, and Ledger Fundamentals

Introduction

The XRP Ledger is a cryptographically-secured, immutable record of the complete state of the network at a specific point in time. Unlike traditional databases that modify records in place, the XRPL creates sequential snapshots where each ledger builds upon its predecessor.

This chapter explores the architectural principles that make the ledger both reliable and efficient, providing the foundation for understanding the implementation details that follow.

The Ledger Chain Concept

Sequential Progression:

Genesis Ledger → Ledger 1 → Ledger 2 → ... → Current Ledger
     │               │           │                │
     └───────────────┴───────────┴────────────────┘
                   Cryptographic Links

Properties:

Why Sequential Design?

• Ensures deterministic ordering of events

• Prevents double-spending and race conditions

• Enables efficient synchronization between nodes

• Provides clear audit trail for all network activity

Hierarchical Data Organization

Three-Tier Architecture:

Merkle Tree Architecture

The state and transaction data are organized as Merkle trees, enabling efficient verification:

Why Merkle Trees?

Practical Application:

A node can verify that a specific account balance is correct by checking only the path from that account to the root hash, rather than verifying the entire ledger.

Data Integrity Mechanisms

Multiple Layers of Protection:

Layer 1: Cryptographic Hashing

Uses SHA-512Half to create unique fingerprints. Each ledger contains two Merkle trees:

• Transaction Map (txMap_): All transactions

• State Map (stateMap_): All account states and objects

Hash calculation proceeds bottom-up: leaf nodes hash their data, inner nodes hash their children, producing a root hash.

The ledger header stores both root hashes and calculates the final ledger hash:

Key verification points: When building a new ledger, hashes are computed FROM data (Ledger.cpp:327-332). When loading from database, the system verifies expected roots exist via fetchRoot() (Ledger.cpp:228-242). Network-acquired ledgers compare received vs expected hash (InboundLedger.cpp:811-819).

Failures detected: Missing nodes → network fetch. Hash mismatch → reject ledger. Internal corruption → abort via invariants() check.

Layer 2: Digital Signatures

Proves authorization using ed25519/secp256k1 signatures.

Transaction signatures: Every transaction must be signed by the account holder's private key. Invalid signatures result in tefBAD_AUTH rejection.

Validator signatures: Validators sign proposals during consensus (RCLCxPeerPos) and validations after building a ledger (STValidation). Each validation includes ledger hash, sequence, consensus hash, close time, and signature timestamp to prevent replay attacks.

Key management: Validators use a two-tier system—a master key (offline, long-term identity) and ephemeral keys (online, rotated regularly). The master key signs tokens authorizing ephemeral keys; each new token invalidates previous ones (see Exercise 1: Validator Keys Setup).

Failures: Invalid signatures → transaction/validation rejected. Revoked keys → all validations ignored. Unknown validators → not counted toward quorum.

Layer 3: Consensus Validation

Provides Byzantine fault tolerance through validator quorum.

A ledger requires validations from floor(trusted_validators × 0.8) + 1 validators, tolerating up to 20% Byzantine failures.

Process: Collect validations for the ledger hash, filter out validators on the Negative UNL (unreliable nodes), check if quorum is met, and verify all validators agree on the same hash (LedgerMaster.cpp:932-942).

Byzantine detection: If a node builds a different ledger than the network majority, it enters wrongLedger mode (Consensus.h:1093), stops proposing, acquires the majority ledger from the network, and resumes consensus.

Failures: Insufficient validations → ledger remains unvalidated. Hash disagreement → enter wrongLedger mode. Network partition → wait for reconnection. The 80% quorum ensures agreement even with 20% compromised validators.

Layer 4: Chain Validation

Ensures temporal consistency through parent-child relationships.

Every ledger header references its predecessor (parentHash) and increments the sequence number (seq = parent.seq + 1). The system verifies: (1) parent exists, (2) parent hash matches, (3) sequence is continuous (LedgerMaster::checkAccept() line 922).

Skip list: Maintains references at exponential distances (parent, grandparent, great-grandparent) for efficient historical lookups via Ledger::updateSkipList().

Failures: Parent hash mismatch → reject ledger. Missing parent → fetch from network. Sequence gap → fetch missing ledgers. Chain fork → fixMismatch() repairs (LedgerMaster.cpp:841).

Protection: Guarantees unbroken sequence from genesis; altering past ledgers breaks the chain and is immediately detectable.

How Layers Work Together

All four layers work sequentially during validation: Layer 1 computes cryptographic hashes, Layer 2 verifies signatures, Layer 3 ensures validator agreement, and Layer 4 confirms chain continuity. If ANY layer fails, the ledger is rejected. This defense-in-depth design means even if one layer is compromised (e.g., a stolen validator key), the other layers protect the system.

The Ledger Lifecycle

Four Phases of Ledger Creation:

Phase Details:

1. Transaction Collection

   • Gather pending transactions from network

   • Apply transaction queue ordering rules

   • Filter invalid or expired transactions

2. Ledger Assembly

   • Apply transactions to previous ledger state

   • Calculate new account balances and states

   • Generate transaction results and metadata

3. Consensus Process

   • Validators propose their assembled ledger

   • Network reaches agreement on canonical version

   • Disputed elements resolved through voting

4. Validation and Finalization

   • Final ledger is cryptographically sealed

   • Distributed to all network participants

   • Becomes immutable part of the chain

State Transition Model

How State Changes Work:

ACID Properties:

Transaction Ordering and Determinism

Why Deterministic Ordering Matters:

All nodes must process transactions in identical order to reach the same final state.

Ordering Principles:

Multi-Tier Storage Architecture

Storage Hierarchy:

Data Lifecycle Management

Retention Policies:

Handling State Conflicts

Conflict Scenarios:

Ledger vs. Traditional Database

Comparison:

Immutability and Its Implications

Once a ledger is validated:

Code Enforcement:

Only immutable ledgers can be stored in a LedgerHolder and published to the network.

Summary

Key Architectural Concepts:

1. Sequential Chain: Ledgers form a cryptographically-linked chain

2. Three-Tier Structure: Header, transactions, and state tree

3. Merkle Trees: Enable efficient verification and synchronization

4. State Transitions: New ledgers created by applying transactions

5. Multi-Layer Integrity: Hashing, signatures, consensus, and chain validation

6. Tiered Storage: Hot, warm, and cold data with appropriate access speeds

7. Immutability: Validated ledgers cannot be modified

Design Benefits:

In the next chapter, we'll dive into the specific data structures that implement this architecture.