Unique Node Lists (UNLs) - The Trust Infrastructure

Definition: A Unique Node List (UNL) is a list of validators that a server trusts not to collude in an attempt to defraud it.

Example UNL Configuration (simplified):

[validator_list_sites]
https://vl.ripple.com 
https://vl.xrplf.org 

[validator_list_keys]
ED2677ABFFD1B33AC6FBC3062B71F1E8397C1505E1C42C64D11AD1B28FF73F4734
EDA8F88E8F4B3D7DF8A9D9BD4E3F9D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3

These keys authenticate the validator lists downloaded from the sites.

• Which validators' proposals are considered in consensus
• Which validators' validations count toward finality
• Whose "80%" matters for your server

Servers can configure UNLs in two ways:

Option 1: Validator List Sites (Recommended)

Server downloads signed list from trusted sites
List contains current recommended validators
Lists are updated periodically
Server automatically uses latest list

Option 2: Explicit Configuration (Advanced)

Server operator manually specifies validator public keys
No automatic updates
Operator responsible for maintenance
More control but more work

In Practice:
The vast majority of servers use the default validator list sites (Ripple and XRPL Foundation), resulting in ~100% UNL overlap for these servers.

Currently, two major UNL publishers exist:

• Original publisher

• Long track record

• Business interest in XRPL success

• Non-profit foundation

• Community governance

• Provides independence from Ripple

The Lists Are Similar:
Both publishers recommend similar (but not identical) validator sets. Differences are minor, and overlap requirements are met.

Anyone Can Publish:
Technically, anyone can run a validator list site. The challenge is getting servers to trust it.

If two servers have completely different UNLs, they might reach different consensus:

Server A's UNL: {V1, V2, V3, V4, V5}
Server B's UNL: {V6, V7, V8, V9, V10}

Overlap ensures both servers hear from common validators, forcing agreement.

The required overlap has changed as understanding improved:

Original Whitepaper (2014): 20% overlap claimed sufficient

Correction (2015): Ripple acknowledged error, recommended 100% overlap

Academic Analysis (2018): Chase & MacBrough proved >90% overlap needed for safety

Current Practice: Default UNLs provide 100% overlap

For two UNLs to safely agree:

• UNL_A and UNL_B are two UNLs
• Both require 80% agreement for validation
• f = Byzantine tolerance (20% of each UNL)

For safety (no conflicting validations):
|UNL_A ∩ UNL_B| > |UNL_A| × 0.2 + |UNL_B| × 0.2

Simplified for equal-sized UNLs of size n:
Overlap > 0.4n (40% overlap minimum for safety alone)

But for liveness AND safety:
Overlap must be > 90%

With 100% overlap (same UNL):
Safety and liveness fully guaranteed (up to 20% Byzantine)
```

The Centralization Trap:
High overlap requirement pushes everyone toward same UNL, concentrating trust in UNL publishers.

The default UNL includes validators operated by:

VALIDATOR OPERATOR CATEGORIES (approximate):

- Bitstamp
- Bitso
- Gatehub
- Coinone
- Others...

- Ripple (1 validator)
- XRPL Foundation
- Coil
- Xpring
- Others...

- Alloy Networks
- Validator.xrp-partner.com
- Various independent operators
- University-affiliated validators
- Others...

- North America: ~30%
- Europe: ~30%
- Asia: ~25%
- Other: ~15%

Good validators demonstrate:

• High uptime (99.9%+)

• Minimal missed validations

• Quick recovery from issues

• Validates ledgers that achieve consensus

• Low "disagreement" rate

• Follows protocol correctly

• Domain verification (proves operator identity)

• Public operator information

• Accountability and contactability

The process isn't formally defined but generally involves:

1. Run a validator reliably for extended period
2. Complete domain verification (prove identity)
3. Build reputation in XRPL community
4. Apply to UNL publishers (informal)
5. Publishers evaluate based on track record, diversity, reliability
6. If accepted, added to recommended list

The Gatekeeping Concern:
UNL publishers decide who gets included. This is a form of centralized control, even if exercised responsibly.

Critics argue:

"XRPL is centralized because..."

1. Default UNL concentration: Most users trust the same ~35 validators
2. Publisher control: Ripple/XRPLF control who's on default UNL
3. Low validator count: 35 validators << thousands of Bitcoin miners
4. Ripple influence: Company with business interest influences network
5. No economic stake: Validators have nothing at risk for misbehavior

Defenders respond:

"XRPL is sufficiently decentralized because..."

1. Anyone can validate: Open participation, just need reputation for UNL
2. Multiple publishers: Ripple isn't the only UNL publisher
3. Diverse operators: 35 validators are operated by different entities globally
4. No single point of failure: No single validator's failure stops network
5. Accountability: Known validators can be held responsible
6. Track record: 12+ years without consensus failure or fraud

Both sides have valid points:

• Most servers DO use default UNL

• Ripple DOES have significant influence

• Getting on UNL IS a gatekeeping function

• 35 validators IS less than Bitcoin's mining ecosystem

• XRPL is more decentralized than traditional payment systems

• 35 independent operators >> single bank

• Geographic and organizational diversity exists

• No single entity can unilaterally control

The Real Question:
"Is XRPL decentralized enough for my use case?"

New validators join the default UNL through:

• Demonstrate reliability (months of operation)

• Complete domain verification

• Build community reputation

• Request consideration from publishers

• No documented requirements

• Publishers use judgment

• Can be opaque

This Is a Problem:
Lack of formal criteria creates uncertainty and accusations of favoritism.

Validators may be removed for:

• Extended downtime

• Frequent disagreement

• Technical problems

• Detected misbehavior

• Operator misconduct

• Security compromise

• Publishers monitor validator performance

• Problems may result in removal

• Notification may or may not occur

• Community pressure can influence decisions

Proposals for improving UNL governance:

Formal Criteria:
Define clear requirements for inclusion/exclusion

Decentralized Selection:
On-chain voting for UNL membership

Multiple UNL Ecosystems:
Different communities with different UNLs (reduces single point of control)

Economic Incentives:
Introducing stake or other economic mechanisms

Current Status:
These are discussion topics, not implemented features.

When evaluating XRPL's UNL model:

• Who operates them?

• What are their incentives?

• How are they distributed geographically/organizationally?

• What's their track record?

• Do I trust these entities not to collude?

• What would I do if they did collude?

• Is this trust model better than alternatives?

• Do I need maximum censorship resistance?

• Do I need fast settlement?

• Do I need known counterparties?

• What's my threat model?

UNL TRUST ASSESSMENT FRAMEWORK:

1. IDENTIFY: Who are the UNL validators?

1. EVALUATE: Are they trustworthy?

1. SCENARIO: What if 20% collude?

1. COMPARE: Is this better than alternatives?

1. DECIDE: Is this acceptable?

Full disclosure of course perspective:

• Not as decentralized as Bitcoin

• More decentralized than traditional finance

• Appropriate for some use cases, not all

• A reasonable engineering trade-off for its goals

• UNL publisher concentration

• Lack of formal governance

• Unclear economic incentives for validators

• Known, accountable participants

• Fast, deterministic finality

• Proven track record

• Suitable for institutional use

The course position:
Present the facts honestly; let students decide for themselves.

XRPL's UNL model is a deliberate design choice, not an accident or flaw. It enables fast consensus with known participants at the cost of maximum decentralization. Whether this trade-off is acceptable depends on your requirements. For institutional settlement with regulatory compliance needs, the UNL model may be superior to anonymous mining. For censorship-resistant money storage, Bitcoin's model is stronger. Know what you need before judging the mechanism.

Assignment: Research and analyze the current XRPL default UNL composition.

Requirements:

• Number of validators

• Operator names/organizations for at least 20 validators

• Geographic distribution (by country/region)

• Organizational categories (exchanges, infrastructure, community, etc.)

• Any validators operated by the same parent organization

• Are any validators potentially controlled by the same entity?

• What's the maximum influence any single organization could have?

• Are there any obvious concentration risks?

• How geographically diverse is the set?

• Is this validator set "decentralized enough" for institutional settlement? Why or why not?

• What would make you MORE confident in the validator set?

• What would make you LESS confident?

• How does this compare to trust in traditional correspondent banking?

• XRPL Explorer (livenet.xrpl.org/network/validators)

• XRPSCAN (xrpscan.com/validators)

• Validator operator websites

• XRPL community resources

• Thoroughness of validator research (30%)

• Quality of independence assessment (30%)

• Thoughtfulness of personal assessment (30%)

• Proper sourcing and presentation (10%)

Time investment: 3-4 hours
Value: This research grounds the centralization debate in actual data rather than abstract arguments.

For Next Lesson:
Lesson 9 examines the consensus rounds in detail—how the voting process actually works, threshold escalation, and transaction set convergence. With UNL understanding established, you can now understand whose votes are being counted.

End of Lesson 8

Total words: ~5,400
Estimated completion time: 60 minutes reading + 3-4 hours for deliverable

Teaching Philosophy:
UNLs are XRPL's most controversial feature. The lesson presents both the critique and defense fairly, then provides a framework for students to reach their own conclusions. The goal isn't to convince students XRPL is perfect OR flawed—it's to equip them to evaluate honestly.

Deliverable Purpose:
The UNL analysis report forces students to actually research current validators rather than accepting abstract claims. By documenting real operators, geographic distribution, and independence, students develop informed opinions based on data.

Lesson 9 Setup:
With UNL understanding established (who votes), Lesson 9 explains how the voting actually works (consensus rounds, threshold escalation). Students will understand whose votes count and how those votes are aggregated.