Ripple, Immunefi Launch $200K Bug Hunt for XRPL’s New Institutional Lending Protocol

Fintech company Ripple is partnering with security platform Immunefi for an upcoming “Attackathon” event, designed to put a new decentralized finance protocol on the XRPL through rigorous testing.

The event will offer $200,000 in rewards to participants who help identify vulnerabilities in the proposed XRPL Lending Protocol, a new system designed to bring fixed-term, uncollateralized loans to the XRP Ledger.

Attackathon, which runs from Oct. 27 to Nov. 29, will invite white-hat hackers and security researchers to probe the codebase and report vulnerabilities before the protocol goes live.

Ripple will offer full educational support through an “Attackathon Academy,” including walkthroughs and Devnet environments, to help researchers get familiar with XRPL’s architecture. The learning stage runs from Oct. 13 to Oct. 27. Following this, the bug hunting competition starts Oct. 27 and continues through November, giving researchers ample time to thoroughly examine the protocol.

If a valid exploit is found, the entire reward pool unlocks. If not, $30,000 will be distributed to participants who contribute meaningful findings.

The XRPL Lending Protocol, governed under XLS-66, takes a different path from typical DeFi models. There are no smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, which allows financial institutions to apply their own risk models, while funds and repayments are recorded directly on the ledger.

It is an approach Ripple is pitching as a bridge between traditional credit markets and on-chain finance, offering transparency while keeping regulatory guardrails intact. Institutions that need collateralized structures can still manage those through licensed custodians or tri-party agreements, with the protocol acting as the execution layer.

Researchers will focus on vulnerabilities that could threaten fund safety or protocol solvency. In-scope targets include vault logic, liquidation and interest calculations, and permissioned access controls. Bugs must be reproducible and come with working proof-of-concepts to qualify.

The Attackathon covers several linked standards, including XLS-65 (single-asset vaults), XLS-33 (multi-purpose tokens), XLS-70 (credentials), and XLS-80 (permissioned domains).