Financial technology company Ripple is partnering with security platform Immunefi for an upcoming “Attackathon” event, designed to implement a new decentralized finance protocol on the XRPL through rigorous testing.
The event will offer $200,000 in rewards to participants who help identify vulnerabilities in the proposed XRPL Lending Protocol, a new system designed to provide unsecured, fixed-term loans to the XRP Ledger.
Attackathon, which will take place from October 27 to November 29, will invite hackers and security researchers to investigate the code base and report vulnerabilities before the protocol goes live.
Ripple will offer full educational support through an “Attackathon Academy,” including tutorials and Devnet environments, to help researchers familiarize themselves with the XRPL architecture. The learning stage runs from October 13 to 27. After this, the bug-finding competition begins on October 27 and continues through November, giving researchers enough time to thoroughly examine the protocol.
If a valid exploit is found, the entire reward pool is unlocked. Otherwise, $30,000 will be distributed to participants who provide significant findings.
The XRPL lending protocol, governed by XLS-66, takes a different path than typical DeFi models. There are no smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models, while funds and reimbursements are recorded directly on the ledger.
It’s an approach that Ripple is presenting as a bridge between traditional credit markets and on-chain finance, offering transparency and keeping regulatory barriers intact. Institutions that need collateralized structures can still manage them through authorized custodians or tripartite agreements, with the protocol acting as an execution layer.
Researchers will focus on vulnerabilities that could threaten the security of funds or the solvency of the protocol. Objectives within scope include vault logic, interest and settlement calculations, and authorized access controls. Bugs must be reproducible and come with functional proofs of concepts to qualify.
The Attackathon covers several linked standards, including XLS-65 (single-asset vaults), XLS-33 (multipurpose tokens), XLS-70 (credentials), and XLS-80 (authorized domains).
