Fintech company Ripple is partnering with security platform Immunefi for an upcoming “Attackathon” event, designed to establish a new decentralized financial protocol on XRPL through rigorous testing.
The event will offer $200,000 in rewards to participants who help identify vulnerabilities in the proposed XRPL lending protocol, a new system designed to bring fixed-term, unsecured loans to the XRP ledger.
The Attackathon, which runs from October 27 to November 29, will invite hackers and security researchers to probe the codebase and report vulnerabilities before the protocol goes live.
Ripple will offer comprehensive educational support via an “Attackathon Academy,” including walkthroughs and Devnet environments, to help researchers become familiar with the XRPL architecture. The learning phase runs from October 13 to 27. Then, the bug-hunting competition begins on October 27 and continues through November, giving researchers ample time to thoroughly examine the protocol.
If a valid exploit is found, the entire reward pool unlocks. Otherwise, $30,000 will be distributed to participants who contribute to significant discoveries.
The XRPL lending protocol, governed by XLS-66, takes a different path than typical DeFi models. There are no smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models, while funds and repayments are recorded directly on the ledger.
It’s an approach Ripple touts as a bridge between traditional credit markets and on-chain finance, providing transparency while preserving regulatory guardrails. Institutions that need collateralized structures can still manage them through approved custodians or tripartite agreements, with the protocol acting as an execution layer.
Researchers will focus on vulnerabilities that could threaten the security of funds or the solvency of the protocol. Affected targets include vault logic, liquidation and interest calculations, and authorized access controls. Bugs must be reproducible and accompanied by a working proof of concept to qualify.
The Attackathon covers several related standards, including XLS-65 (single asset vaults), XLS-33 (multipurpose tokens), XLS-70 (credentials), and XLS-80 (authorized domains).
