Fintech company Ripple is partnering with security platform Immunefi for an upcoming “Attackathon” event designed to put a new decentralized financial protocol on XRPL through rigorous testing.
The event will offer $200,000 in rewards to participants who help identify vulnerabilities in the proposed XRPL Lending Protocol, a new system designed to bring time-limited, unsecured loans to the XRP Ledger.
The Attackathon, which runs from October 27 to November 29, will invite white-hat hackers and security researchers to examine the codebase and report vulnerabilities before the protocol goes live.
Ripple will offer full educational support through an “Attackathon Academy,” including walkthroughs and Deevnet environments, to help researchers familiarize themselves with XRPL’s architecture. The learning stage runs from October 13 to October 27. After this, the bug-hunting competition starts on October 27 and continues through November, giving the researchers plenty of time to examine the protocol thoroughly.
If a valid exploit is found, the entire reward pool is unlocked. If not, $30,000 will be distributed to participants who contribute meaningful results.
The XRPL lending protocol underpinned by XLS-66 takes a different path from typical DeFi models. There are no smart contracts, wrapped assets or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models, while funds and repayments are recorded directly on the ledger.
It’s an approach that Ripple is pitching as a bridge between traditional credit markets and on-chain financing, offering transparency while keeping regulatory guardrails intact. Institutions that need collateralized structures can still manage them through licensed custodians or tripartite agreements, with the protocol acting as the execution layer.
Researchers will focus on vulnerabilities that could threaten the foundation’s security or protocol solvency. In-scope goals include vault logic, liquidation and interest calculations, and permissive access control. Bugs must be reproducible and come with working proof-of-concepts to qualify.
Attackathon covers several related standards, including XLS-65 (single-enabled vaults), XLS-33 (multi-purpose tokens), XLS-70 (credentials), and XLS-80 (allowed domains).
