0091 XLS-91d: Beneficiary - An Inheritance Solution for XRPL

[xrpl365]

XLS-91 Beneficiary - An Inheritance Solution for XRPL

Title:       Beneficiary
Type:        Draft
Revision:    1
Authors:     Chris Dangerfield @xrpl365
             Denis Angell @angell_denis

Introduction

The need for a secure and reliable inheritance mechanism on the XRP Ledger has been a recurring topic within the community. In the event of an account holder's death, without access to the private key, the assets in the account are effectively lost forever, causing significant concern for users who want to ensure their digital assets are passed on to their beneficiaries.

Existing solutions, like sharing private keys with executors or family members, pose significant security risks and are often impractical due to trust issues or technical limitations.

This proposal aims to introduce a simple, secure, and user-friendly inheritance mechanism on the XRP Ledger by leveraging new transaction types and modifications to the AccountRoot ledger entry. This mechanism allows account holders to set a beneficiary who can claim access to the account after a specified period of inactivity, ensuring assets can be passed on without compromising the account's security during the holder's lifetime.

Problem Statement

When an XRP Ledger account holder dies without sharing their private key:

• Assets are locked indefinitely: Without access to the key, no one, including family or executors, can transfer the XRP or other account assets.
• Risk of pre-death draining: Sharing keys with executors exposes the account to potential unauthorized access during the holder’s lifetime.

Users need a way to ensure their assets can be securely passed on to beneficiaries in the event of their death, without compromising their autonomy or the security of their account while they are alive.

Amendment

The proposed amendment introduces a new inheritance mechanism on the XRP Ledger by adding two new transaction types and extending the AccountRoot ledger entry.

• New Transaction Types:

  • SetBeneficiary
  • InvokeBeneficiary

• AccountRoot Ledger Entry Extensions:

  • Implements new fields to track beneficiary information and account activity.

New Transaction Type: SetBeneficiary

The SetBeneficiary transaction allows an account holder to designate a beneficiary account (sfBeneficiary) and specify a time lock period (sfTimeLock). Once set, these fields are added to the AccountRoot ledger entry of the account.

Transaction Format

Field	Type	Required	Description
TransactionType	UInt16	✔️	The type of transaction, which is SetBeneficiary (ttSET_BENEFICIARY).
Account	AccountID	✔️	The account setting the beneficiary.
Beneficiary	AccountID	✔️	The account ID of the beneficiary.
TimeLock	UInt32	✔️	The time lock period in seconds since the last interaction.

Example SetBeneficiary Transaction

{
  "TransactionType": "SetBeneficiary",
  "Account": "rUpy3eEg8rqjqfUoLeBnZkscbKbFsKXC3v",
  "Beneficiary": "r4G4ZUPkMpXhB6sSpCD1HN2LZUjWkAp8ie",
  "TimeLock": 15552000 // e.g., 180 days in seconds
}

AccountRoot Ledger Entry Extensions

The AccountRoot ledger entry will be extended to include the following new fields:

• Beneficiary Fields:
  • sfBeneficiary (AccountID): The account ID of the designated beneficiary.
  • sfTimeLock (UInt32): The time lock period in seconds for inactivity.
  • sfLastInteraction (UInt32): The timestamp of the last outgoing transaction from the account.

Updated AccountRoot Ledger Entry Format

The AccountRoot ledger entry will now include:

Field	Type	Description
...	...	Existing fields remain unchanged.
Beneficiary	AccountID	(New) The account ID of the designated beneficiary.
TimeLock	UInt32	(New) The time lock period in seconds since last interaction.
LastInteraction	UInt32	(New) The timestamp of the last outgoing transaction.

Handling SetBeneficiary Transaction

When a SetBeneficiary transaction is submitted:

1. Validation:

   • The Beneficiary field must be a valid AccountID (account exists).
   • The TimeLock must be a positive integer representing the time lock period in seconds.

2. Update AccountRoot Ledger Entry:

   • The sfBeneficiary and sfTimeLock fields are added or updated in the AccountRoot ledger entry of the Account.
   • The sfLastInteraction is initialized to the timestamp of the current ledger (if not already set).

3. Transaction Result:

   • On success, the transaction result is tesSUCCESS.
   • On failure (e.g., invalid fields), appropriate error codes are returned.

Updating sfLastInteraction

• The sfLastInteraction field in the AccountRoot ledger entry is updated to the timestamp of the current ledger whenever an outgoing transaction (a transaction where the Account is the sender) is successfully processed.
• Incoming transactions, or transactions where the account is only the recipient, do not update the sfLastInteraction.

New Transaction Type: InvokeBeneficiary

The InvokeBeneficiary transaction allows the beneficiary or any other party to initiate the claim process. The transaction will succeed only if the time elapsed since the sfLastInteraction is greater than or equal to the sfTimeLock. Upon success, the sfRegularKey of the account is set to the sfBeneficiary account ID, giving the beneficiary full access to the account.

Transaction Format

Field	Type	Required	Description
TransactionType	UInt16	✔️	The type of transaction, which is InvokeBeneficiary (ttINVOKE_BENEFICIARY).
Account	AccountID	✔️	The account initiating the claim (can be any account).
Owner	AccountID	✔️	The account ID of the account being claimed (the original account).

Example InvokeBeneficiary Transaction

{
  "TransactionType": "InvokeBeneficiary",
  "Account": "rAnyAccountId",
  "Owner": "rAliceAccountID"
}

Handling InvokeBeneficiary Transaction

When a InvokeBeneficiary transaction is submitted:

1. Validation:

   • The Owner field must be a valid AccountID of an account that has sfBeneficiary and sfTimeLock set in its AccountRoot ledger entry.

2. Time Lock Verification:

   • Calculate the time elapsed since sfLastInteraction:
     • TimeElapsed = CurrentLedgerTime - sfLastInteraction
   • Verify that TimeElapsed >= sfTimeLock.

3. Update AccountRoot Ledger Entry:

   • If the time lock condition is satisfied:
     • Set the sfRegularKey of the Owner account to the sfBeneficiary account ID.
     • Remove sfBeneficiary and sfTimeLock fields from the AccountRoot.
   • If the time lock condition is not satisfied:
     • The transaction fails with a suitable error code (e.g., tecNO_PERMISSION).

4. Transaction Result:

   • On success, the transaction result is tesSUCCESS.
   • On failure, appropriate error codes are returned.

Access Granted to Beneficiary

By setting the sfRegularKey of the account to the beneficiary's account ID, the beneficiary gains full access to the account through the RegularKey mechanism of the XRP Ledger. The sfBeneficiary and sfTimeLock fields are removed to prevent re-triggering of the inheritance process.

Security Considerations

• Reversible Actions: The account holder can at any time submit a new SetBeneficiary transaction to update or remove the beneficiary designation by setting Beneficiary to an empty value or omitting the field.
• Activity Resets Time Lock: Any outgoing transaction from the account updates sfLastInteraction, resetting the inactivity timer.
• RegularKey Security: The RegularKey mechanism is standard in XRPL; however, account holders should be aware that setting the RegularKey to the beneficiary account effectively grants full control over the account to the holder of that key, once the timelock conditions are satisfied.
• Beneficiary with multisig: For added security if the beneficiary account has multisig enabled, no single entity can control the assets upon invoking, adding an additional layer of protection for the family.

Examples

Scenario: Setting a Beneficiary

Alice wants to set Bob as her beneficiary, with a time lock of 6 months (15,552,000 seconds). She submits a SetBeneficiary transaction.

{
  "TransactionType": "SetBeneficiary",
  "Account": "rAliceAccountID",
  "Beneficiary": "rBobAccountID",
  "TimeLock": 15552000
}

Upon successful processing, Alice's AccountRoot ledger entry is updated with the sfBeneficiary, sfTimeLock, and initializes sfLastInteraction to the current ledger timestamp.

Scenario: Invoking Beneficiary

After Alice passes away and no transactions are made from her account for over 6 months, Bob (or any other party) submits a InvokeBeneficiary transaction.

{
  "TransactionType": "InvokeBeneficiary",
  "Account": "rAnyone",
  "Owner": "rAliceAccountID"
}

If the time elapsed since sfLastInteraction is equal to or greater than sfTimeLock, the transaction succeeds, setting the sfRegularKey of Alice's account to rBobAccountID, and removing the beneficiary fields.

Bob can now use his own secret key to sign transactions on behalf of Alice's account via the RegularKey mechanism, effectively gaining access to the assets.

Edge Cases and Handling

• Account Activity Prevents Invoking: If any outgoing transaction is made from the account before the sfTimeLock period elapses, the sfLastInteraction is updated, resetting the timer.
• Multiple Invocations: Once the InvokeBeneficiary transaction succeeds, the beneficiary fields are removed from the AccountRoot, preventing further claims.
• Account Deletion: If the account is deleted before the time lock expires, normal account deletion procedures apply.
• RegularKey Already Set: If the account already has a RegularKey set, setting the beneficiary does not interfere with that. However, when the InvokeBeneficiary transaction is successful, the sfRegularKey is updated to the beneficiary's account ID, overriding any existing RegularKey.

Open Questions

• Maximum TimeLock: Should there be a maximum allowable TimeLock period to prevent excessively long or infinite time locks?
• Notification Mechanisms: How can beneficiaries be notified of the ability to claim inheritance (off-ledger considerations)?
• Legal Considerations: How does this mechanism align with inheritance laws across different jurisdictions?
• Potential Abuse: Are there any potential vectors for abuse or unintended consequences of allowing the RegularKey to be set in this manner?

[tequdev]

How does it work if the account has been blackholed?

If it doesn't work if the account has been blackholed, you need to define what blackholed status is. (is it only when the master key has been disabled and the regular key is a ZERO/ONE Account? etc.)

[dangell7]

There is currently no check for blackholed accounts. If you want to have your beneficiary be a blackholed account thats up to you.

[tequdev]

This refers to the case where Alice blackholes her own account after setting Beneficiary.

This function will cancel the blackhole, right?

[xrpl365]

Given the spec currently says that any regular key would be overwritten, then yes, this would essentially un-blackhole the account, but the beneficiary clearly needs to be set first. I see no issue with this, and any sites displaying an account as being blackholed woudl need to just update their logic to check for the presence of beneficiary, before attesting to it being blackholed

Interestingly though, it does open up to some interesting ideas which are occurring to me know after reading the new smart escrow proposal. If you had some issued assets on an account; then set the beneficiary with a time lock of one year, then set a beneficiary account, then blackholed it, you just achieved a form of escrow for an issued asset. Just occurred to me. Is this good or bad ?

Q: Should we work work to prevent this?

[mvadari]

nit: Transactions are usually named in the form of NounVerb. So they should be BeneficiarySet and BeneficiaryInvoke.

[xrpl365]

noted, we can update :-)

[ximinez]

1. Can I assume that all the new AccountRoot fields will be optional?
2. Should BeneficiarySet.Beneficiary be optional, where absence indicates clearing the beneficiary?
3. When the beneficiary is cleared, all three of the new fields should be removed.
4. There's no point in setting LastInteraction if there's no beneficiary, so it makes sense that it should only be updated if set. And if it's removed when a beneficiary is removed, that takes care of itself.
5. Did you consider using a new ledger object instead of adding fields to AccountRoot? I think this extra data is worth charging an incremental reserve.

[dangell7]

1. Yes they would be if we stay with AccountRoot
2. Yes, that makes the spec clearer as I think that was implemented but not in the spec
3. Great Suggestion
4. Agree
5. I did not, I was going for as light weight as possible (minimal changes) but someone also suggested adding BeneficiarySigners. So I have been looking at a LedgerEntry.

Now that I think about it 2/3 transactors that all adjust the same LedgerEntry but have different names might get confusing for future updates as well. LedgerEntry is a winner here imo.

Thank you for your valuable inputs!

[ximinez]

Thank you for your valuable inputs!

YW!

[xVet]

Wouldn't we need also a delete beneficiary tx? In case i want to cancel between last tx and timelock period

[xrpl365]

BeneficiarySet can be used to perform disable, as well as an enabled and update.

[sappenin]

The InvokeBeneficiary transaction allows the beneficiary or any other party to initiate the claim process.

Is there any particular reason the proposal doesn't require the InvokeBeneficiary transaction to be signed by the beneficiary?

I worry about scenarios where the original account is no longer accessible, and the beneficiary account becomes inaccessible in a surprising or unforeseen way (this might be due to errantly setting the beneficiary to a blackhole/special address, loss of private keys of the beneficiary, or otherwise).

By forcing the beneficiary to prove access to the beneficiary account, we know funds can't be pulled into an inaccessible beneficiary account (because that account must sign).

[ximinez]

That said, if the user is super smart they would chain beneficiary accounts,

Circular beneficiaries!!!

That might actually be a valid use case for, for example, spouses.

[mvadari]

By forcing the beneficiary to prove access to the beneficiary account, we know funds can't be pulled into an inaccessible beneficiary account (because that account must sign).

The funds aren't "pulled" anywhere, the regular key is just changed.

[sappenin]

The funds aren't "pulled" anywhere, the regular key is just changed.

...all this change does is ensure the funds remain on the original account.

Good points -- these aren't crucial to my worry though. I'm more thinking about not getting funds locked-up on accident.

If we enforce the rule around who can invoke, then this prevents a form of backup from being useable.

Despite my initial worry, this is a really good point. I need to consider the tradeoffs here a bit more.

[Tapanito]

Circular beneficiaries!!!

Taking @ximinezs example further. What would happen if Account A uses account B as a beneficiary and account B uses account A as a beneficiary, and both accounts meet the conditions to submit the BeneficiaryInvoke transaction, which they do, in the same ledger. Although a contrived example, it is a possible one.

[dangell7]

The same thing that would happen if you submitted 2 SetRegularKey transactions with the same details right?

[mvadari]

Is there a potential issue here if the user was already primarily using their regular key instead of their master key (e.g. when using the XRPL Labs Vanity Address service)?

The situation I'm imagining:

• Master key is blackholed
• User is using their regular key
• They set a beneficiary
• User doesn't use their account for a while via happenstance
• The beneficiary is activated, changing the regular key and locking the original user out of their own account.

[mvadari]

This is a potential issue regardless of who can trigger the beneficiary switch - we've all read stories of e.g. kids who scheme to get their parents' money as early as possible.

[xrpl365]

I acknowledge your point, but I advocate taking the approach of making the feature as flexible as possible and empowering users to make the informed decision they choose. These discussions so far make me lean towards allowing both options and simply empower the user to take responsibility for their decision by setting a simple boolean as part of the feature OR we build smart feature functionality into this amendment from day one, leave the protocol open and allow it to be locked down with an extension.

I do think we are all on the same page here, the problem is there are genuinely trade-offs to both options.

Does anyone have any solid reason why we should not allow both, if so, it is just a case of determining the best way to implement it.

[mvadari]

Actually, why does the regular key have to change at all? Why can't the beneficiary just be an additional key that can sign for the account?

[ximinez]

Actually, why does the regular key have to change at all? Why can't the beneficiary just be an additional key that can sign for the account?

...You could get rid of the InvokeBeneficiary transaction entirely. It would basically be automatic. "Just" modify the signature checking logic such that if the amount of time has passed, and the transaction is signed by the beneficiary, it works.

[xrpl365]

I think we would ultimately take advice on this, but... from my understanding, what you describe would be adding/changing a fairly significant area of code; whereas what we tried to do was keep it as simple as possible, re-using functionality that essentially already exists; yes its a new transaction but the code behind it is really really simple.
Our thought process was the less we changed and the more we re-use, the better.

I think this is just a design choice, so lets treat it as such.
I'm happy with either solution.