Immunefi and Ripple Announce $200,000 Attackathon to Secure Proposed XRPL Lending Protocol
Ripple and Immunefi are collaborating to launch a $200,000 Attackathon to secure the proposed XRPL Lending Protocol as part of the institutional DeFi roadmap. This program is a time-boxed, adversarial competition, where security researchers dive into the code to ensure the protocol has the strongest possible security posture, surfacing vulnerabilities before they reach production.
The XRPL Lending Protocol introduces fixed-term, uncollateralized loans directly on the XRP Ledger. There are no smart contracts or wrapped assets involved, and the protocol itself does not hold collateral. Creditworthiness is assessed off-chain — a deliberate design choice that allows institutions to apply their existing underwriting and risk models — while funds are pooled on-chain and repayments follow predefined terms enforced at the protocol level. Institutions that require collateralized loans can still structure them off-ledger through licensed custodians or tri-party arrangements, combining the transparency of XRPL with the safeguards of regulated custody.
It’s governed by XLS-66, a new standard designed not just to add functionality, but to build the foundation for capital markets on XRPL.
The ambition is high, and so are the stakes.
How the XRPL Attackathon is structured
- Total reward pool: $200,000 USD
- Education period: October 13 to October 27, 2025
- Attackathon dates: October 27 to November 29, 2025
- Language: C++
If even one valid bug is found during the program, the full $200,000 is unlocked and will be distributed. If no bugs are found, a fallback pool of $30,000 is paid out to participants who submitted valid insights.
Flat distribution rules apply, and a portion of the pool is reserved for top performers through Immunefi’s All Star and Podium programs.
What’s in scope
This is a complex protocol with multiple primitives and edge cases. The most valuable bugs will directly impact fund security or vault solvency.
Only bugs affecting the deployed, in-scope codebases are eligible. All bugs must be submitted with working proof-of-concepts. Here’s what’s in scope:
Primary assets include:
- XLS-66 Lending Protocol
- XLS-65 Single Asset Vault (SAV)
- XLS-33 Multi-Purpose Tokens (MPTs)
- XLS-70 Credentials
- XLS-77 Deepfreeze
- XLS-80 Permissioned Domains
Priority targets include:
- Liquidation Logic: Triggering or preventing liquidations through invalid state transitions
- Interest Accrual: Bugs that misrepresent debt or reward the wrong party
- Clawback and Deepfreeze: Circumventing asset freezes or clawback restrictions
- Administrative Attacks: Altering internal protocol records or balances
- Vault Interactions: Exploiting minting, redemption, or reward distribution
- Permissioned Access Control: Bypassing borrower or lender restrictions
Private known issues are valid for submission if they have not been publicly disclosed. Publicly known issues are not eligible.
Education to support your XRPL Attackathon success
To support researchers new to XRPL, Ripple and Immunefi are providing full access to the Attackathon Academy throughout the Education Period, including:
- Live walkthroughs with Ripple engineers
- XRPL-focused curriculum built for security researchers
- Devnet guides, build instructions, and test environments
- Policy support and researcher coordination via Discord
The Academy is open-access and will remain live after the competition ends.
Get ready to secure the future of uncollateralized lending
This protocol is being launched to support real-world credit markets on XRPL. It is designed for institutional integration, not speculative yield.
This is your opportunity to shape the future of XRPL security, establish yourself as a leader in the non-EVM security space, and earn meaningful rewards for meaningful findings.
Prepare accordingly.
