XRPL’s New Institutional Lending Protocol Gets $200K Bug Bounty from Ripple and Immunefi

Ripple and Immunefi Launch $200K Attackathon to Test XRPL Lending Protocol

Ripple has partnered with Immunefi to host an “Attackathon”, a bug-hunting initiative aimed at identifying vulnerabilities in its new XRPL Lending Protocol, which introduces fixed-term, uncollateralized loans to the XRP Ledger (XRPL). The event offers a $200,000 reward pool for researchers who uncover valid security flaws.

The Attackathon will run from October 27 to November 29, inviting white-hat hackers and security researchers to rigorously test the protocol before it goes live. Leading up to the competition, Ripple is providing an “Attackathon Academy” from October 13 to October 27, featuring educational materials, walkthroughs, and Devnet environments to help participants familiarize themselves with XRPL’s architecture.

Participants who identify critical exploits can claim the full $200,000 reward, while $30,000 will be distributed to researchers who submit meaningful but non-critical findings.

The XRPL Lending Protocol, governed under XLS-66, departs from conventional DeFi designs. It does not rely on smart contracts, wrapped assets, or on-chain collateral. Instead, creditworthiness is assessed off-chain, allowing financial institutions to apply their own risk models while recording all funds and repayments on the ledger. Ripple presents this model as a bridge between traditional credit markets and on-chain finance, ensuring transparency while keeping regulatory safeguards in place. Institutions that require collateralized structures can manage them via licensed custodians or tri-party agreements, with the protocol serving as the execution layer.

Security researchers will focus on areas that could impact fund safety or protocol solvency, including vault logic, liquidation and interest calculations, and permissioned access controls. Bugs must be reproducible and accompanied by working proof-of-concepts to qualify for rewards.

The Attackathon also covers related standards, including XLS-65 (single-asset vaults), XLS-33 (multi-purpose tokens), XLS-70 (credentials), and XLS-80 (permissioned domains), providing a comprehensive evaluation of the protocol’s security framework.