From 078afb51d9aca6ada1ec99b9d5dcd6d9e9fc2775 Mon Sep 17 00:00:00 2001
From: Ed Hennis <ed@ripple.com>
Date: Thu, 31 Jul 2025 10:49:48 -0400
Subject: [PATCH] WIP: Make requireAuth recursive if the sender is a vault

---
 src/libxrpl/ledger/View.cpp | 18 ++++++++++++++++++
 src/test/app/Vault_test.cpp | 19 +++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/src/libxrpl/ledger/View.cpp b/src/libxrpl/ledger/View.cpp
index deaf53c05b..ee799a720a 100644
--- a/src/libxrpl/ledger/View.cpp
+++ b/src/libxrpl/ledger/View.cpp
@@ -3139,6 +3139,24 @@ requireAuth(
                 !isTesSuccess(err))
                 return err;
         }
+
+        // requireAuth is also recursive if the _account_ is a vault
+        auto const sleAccount = view.read(keylet::account(account));
+        if (!sleAccount)
+            return tefINTERNAL;  // LCOV_EXCL_LINE
+
+        if (sleAccount->isFieldPresent(sfVaultID))
+        {
+            auto const sleVault =
+                view.read(keylet::vault(sleAccount->getFieldH256(sfVaultID)));
+            if (!sleVault)
+                return tefINTERNAL;  // LCOV_EXCL_LINE
+            auto const ownerAcct = sleVault->getAccountID(sfOwner);
+            if (auto const err =
+                    requireAuth(view, mptIssue, ownerAcct, authType, depth + 1);
+                !isTesSuccess(err))
+                return err;
+        }
     }
 
     auto const mptokenID = keylet::mptoken(mptID.key, account);
diff --git a/src/test/app/Vault_test.cpp b/src/test/app/Vault_test.cpp
index cf6a6584cb..418aac90ea 100644
--- a/src/test/app/Vault_test.cpp
+++ b/src/test/app/Vault_test.cpp
@@ -2351,6 +2351,18 @@ class Vault_test : public beast::unit_test::suite
                      .amount = asset(100)});
                 env(tx, ter(tecNO_AUTH));
 
+                // Withdrawal to other (authorized) accounts doesn't work.
+                // Issuer would have to VaultClawback
+                tx[sfDestination] = issuer.human();
+                env(tx, ter(tecNO_AUTH));
+                tx[sfDestination] = owner.human();
+                env(tx, ter(tecNO_AUTH));
+                env.close();
+
+                // Issuer reauthorizes
+                mptt.authorize({.account = issuer, .holder = depositor});
+                env.close();
+
                 // Withdrawal to other (authorized) accounts works
                 tx[sfDestination] = issuer.human();
                 env(tx);
@@ -2361,6 +2373,13 @@ class Vault_test : public beast::unit_test::suite
                 env.close();
             }
 
+            // Re-unauthorize
+            mptt.authorize(
+                {.account = issuer,
+                 .holder = depositor,
+                 .flags = tfMPTUnauthorize});
+            env.close();
+
             {
                 // Cannot deposit some more
                 auto tx = vault.deposit(