Ripple Pays Hackers To Attack The XRP Ledger’s New DeFi Lending Protocol

RippleX has put a sharp point on its “institutional DeFi” roadmap by inviting the security community to actively break the XRP Ledger’s forthcoming lending stack—before it ships. In a coordinated program with Immunefi, the company unveiled a $200,000 “Attackathon” aimed at hardening the proposed XRPL Lending Protocol, a ledger-native system for fixed-term, uncollateralized credit governed by the emerging XLS-66 standard.

“We are collaborating with @immunefi to prepare a $200K Attackathon to test and strengthen the proposed XRP Ledger Lending Protocol,” RippleX wrote on X on October 13, adding that the competition focuses on “more than 35K lines of C++ code” and is paired with an educational track to onboard researchers to XRPL specifics.

Immunefi posted via X: “We’ve partnered with RippleX to launch a $200,000 Attackathon helping secure the proposed XRPL Lending Protocol. This is a time-boxed, adversarial competition to identify vulnerabilities before the protocol reaches production.”

Ripple Invites Hackers to Test the XRP Ledger

The Attackathon is preceded by an “XRPL Attackathon Academy” that Immunefi says provides ledger-specific walkthroughs, Devnet guides, test environments and a C++ curriculum, plus direct access to Ripple engineers during the education window.

The program’s core pool totals $200,000, with flat distribution rules and performance bonuses. The most consequential result is binary: if even one valid critical vulnerability is found, the full pool unlocks; if not, a $30,000 fallback is split among researchers who nonetheless submit valid insights.

Immunefi’s public brief also names the primary, in-scope components targeted by researchers, including XLS-66 (Lending Protocol), XLS-65 (Single-Asset Vaults), XLS-33 (Multi-Purpose Tokens), XLS-70 (Credentials), XLS-77 (Deepfreeze), and XLS-80 (Permissioned Domains)—a window into how Ripple envisions lending, liquidity, identity/permissions, and asset controls interlocking at the base layer.

Immunefi’s launch blog lists the education period as October 13–27 and the Attackathon as October 27–November 29, 2025. The Academy page further specifies rewards paid in RLUSD, Ripple’s dollar-pegged stablecoin, and confirms that Immunefi will triage reports and require KYC.

Ripple has been telegraphing this architecture throughout September, positioning XLS-65 and XLS-66 as the nucleus of an institutional credit market built into the ledger, rather than stitched on via external smart contracts. The company’s own technical brief describes pooled lending, on-chain enforcement and underwritten, off-chain credit evaluation, while adjacent standards—Permissioned Domains, Deepfreeze and Credentials—are designed to map compliance, recoverability and identity controls to ledger-native primitives.

The security-first rollout reflects a broader industry shift toward pre-production “offense testing” on non-EVM codebases and at-protocol designs, where conventional smart-contract bug classes don’t always apply. Immunefi’s brief makes clear what matters most for the XRPL stack: anything that compromises fund security or vault solvency, misrepresents interest accrual or debt, subverts clawback/freeze semantics, manipulates administrative records, or bypasses permissioned access controls.

Those priorities map directly to the design’s claim to avoid wrapped assets and third-party contracts, meaning the bounty effectively challenges researchers to find ledger-level logic flaws rather than Solidity-style pitfalls. “This program is a time-boxed, adversarial competition, where security researchers dive into the code to ensure the protocol has the strongest possible security posture, surfacing vulnerabilities before they reach production,” Immunefi wrote.

At press time, XRP traded at $2.46.