Ripple and Immunefi Launch $200K Attackathon to Secure XRPL Lending Protocol
Ripple has teamed up with Immunefi to host an “Attackathon”, a bug-hunting event designed to test the security of its new XRPL Lending Protocol, which aims to bring fixed-term, uncollateralized loans to the XRP Ledger (XRPL). Participants can earn up to $200,000 for identifying vulnerabilities.
The competition runs from October 27 to November 29 and invites white-hat hackers and security researchers to scrutinize the protocol’s code before it goes live. Ahead of the event, Ripple is offering an “Attackathon Academy” from October 13 to October 27, providing educational materials, walkthroughs, and Devnet environments to help participants become familiar with XRPL’s architecture.
If a valid exploit is discovered, the entire $200,000 reward pool will be awarded. Otherwise, $30,000 will be distributed to contributors who submit meaningful findings.
The XRPL Lending Protocol, governed under XLS-66, differs from traditional DeFi models: it does not use smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models, while all fund flows and repayments are recorded on the ledger. Ripple positions this approach as a bridge between conventional credit markets and on-chain finance, providing transparency while maintaining regulatory safeguards. Institutions requiring collateralized structures can still operate through licensed custodians or tri-party agreements, with the protocol serving as the execution layer.
Researchers will focus on vulnerabilities that could threaten fund safety or protocol solvency, including vault logic, liquidation and interest calculations, and permissioned access controls. Bugs must be reproducible and accompanied by working proof-of-concepts to qualify for rewards.
The Attackathon will also examine several related standards, including XLS-65 (single-asset vaults), XLS-33 (multi-purpose tokens), XLS-70 (credentials), and XLS-80 (permissioned domains), providing a thorough review of the protocol’s security framework.
