Fintech company Ripple is teaming up with security platform Immunefi for an upcoming “Attackathon” event, designed to put a new decentralized financial protocol in XRPL to the test.
The event will offer $200,000 in rewards to participants who can help identify vulnerabilities in the proposed XRPL lending protocol, a new system designed to bring fixed, anonymous loans to the XRP ledger.
The Attackathon, which runs from October 27 to November 29, will invite white-hat hackers and security researchers to review the codebase and report vulnerabilities before the protocol goes live.
Ripple will offer full educational support through an “Attackathon Academy,” including walkthroughs and devnet environments, to help researchers familiarize themselves with the XRPL architecture. The study phase runs from October 13 to October 27. After that, the bug hunting competition begins October 27 and continues through November, giving the researchers plenty of time to thoroughly evaluate the protocol.
If a valid exploit is found, the entire pool unlocks. Otherwise, $30,000 will be shared among participants who contribute significant findings.
The XRPL lending protocol, governed under XLS-66, takes a different path from standard def models. There are no smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models, while funds and payments are recorded directly on the ledger.
It’s a strategy that Ripple is pitching as a bridge between traditional credit markets and on-chain finance, offering transparency while maintaining regulatory integrity. Institutions that require collateralized structures can still manage those through licensed custodians or tri-party agreements, with the protocol acting as the enforcement layer.
Researchers will focus on vulnerabilities that could threaten the safety of the fund or protocol solvency. In-scope targets include vault logic, liquidation and interest calculations, and permitted access controls. Bugs must be reproducible and include a working proof-of-concepts to qualify.
The attack covered several linked standards, including XLS-65 (single-asset vaults), XLS-33 (multi-purpose tokens), XLS-70 (credentials), and XLS-80 (domain permissions).
