Immunefi
Blog
Platform
Bug Bounty ProgramsPR ReviewsMultisig Tx ReviewAuditsMonitoringAudit CompetitionsInvite OnlySafe HarborVaultsManaged TriageHelp Center
Security Researchers

Join Immunefi

Find bugs. Get paid.

Immunefi Profile PicHelp for WhitehatsAll StarsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of FameReport FindingsResponsible Publication
LoginExplore BountiesGet Protected
Back to Explore
Attackathon | XRPL Lending Protocol-logo

Attackathon | XRPL Lending Protocol

Learn

The XRP Ledger (XRPL) is a decentralized layer 1 blockchain renowned for its decade-long reliability and stability in tokenizing and exchanging crypto-native and real-world assets.

The XLS-66 specification introduces the XRP Ledger-native Lending Protocol, which facilitates straightforward, on-chain, uncollateralised fixed-term loans with pre-set interest terms. Loan liquidity is sourced from pooled funds, while the design relies on off-chain underwriting and risk management to assess borrowers’ creditworthiness.

Blockchain
C/C++

Live

21d: 8h remaining
Primary Pool
$140,000
All Stars Pool
$40,000
Podium Pool
$20,000
Start Date
27 October 2025
End Date
24 November 2025
Rewards Token
RLUSD
Lines of Code
35,498

  • Triaged by Immunefi

  • Step-by-step PoC Required

  • KYC required

Submit a Bug
InformationScopeResources

Codebase

Title
XLS-66
Description
Lending Protocol Implementation
Link

Documentation

Title
XRPL Documentation
Description
Documentation
Link
Title
Rippled codebase
Description
Codebase
Link
Title
XRPL Standards
Description
Standards
Link
Title
XRPL Devnet explorer
Description
Explorer
Link
Title
XRPL dev portal code sample
Description
Code samples
Link
Title
XRPL js & python scripts
Description
Scripts
Link
Title
XRPL Learning portal
Description
Learning portal
Link
Title
Contribute to code
Description
Code Contributions
Link
Title
Amendments
Description
Amendments
Link
Title
XLS-66d
Description
XRP Ledger-native Lending Protocol spec
Link
Title
XLS-65d
Description
Single Asset Vault spec
Link
Title
XLS-65d
Description
Single Asset Vault doc
Link
Title
XLS-33
Description
Multi-Purpose Tokens (MPTs) spec
Link
Title
XLS-33
Description
Multi-Purpose Tokens (MPTs) doc
Link
Title
XLS-80
Description
Permissioned Domains spec
Link
Title
XLS-80
Description
Permissioned Domains doc
Link
Title
XLS-70
Description
Credentials spec
Link
Title
XLS-70
Description
Credentials doc
Link
Title
XLS-77
Description
Deep-freeze spec
Link
Title
XLS-77
Description
Deep-freeze doc
Link
Go to Audits & Known Issues

Insight Reporting

Insight reports may be reported to this program and require a PoC. Insights are rewarded according to Immunefi’s Standardized Competition Reward Terms.

Dispute Resolution

If there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.

Asset Accuracy Assurance

  • Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

Private Known Issues Reward Policy

  • Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

Primacy of Impact vs Primacy of Rules

  • Ripple/ XRPL adheres to the Primacy of Rules, which means that the whole Attackathon program is run strictly under the terms and conditions stated within this page.

KYC Requirement

Ripple/ XRPL requires Immunefi, through its partner Onfido, to collect and assess SRs’s KYC information to pay for bug submissions. The following information will be required:

  • Full name
  • Date of birth
  • Proof of address (either a redacted bank statement with address or a recent utility bill)
  • Copy of Passport or other Government issued ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

Responsible Publication

  • Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:

    • Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.

  • Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.

Feasibility Limitations

  • When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.

Immunefi Standard Badge

  • By adhering to Immunefi’s best practice recommendations, Ripple/ XRPL has satisfied the requirements for the Immunefi Standard Badge.