Ripple Pays Hackers To Attack The XRP Ledger’s New DeFi Lending Protocol

RippleX has put a pointy level on its “institutional DeFi” roadmap by inviting the safety neighborhood to actively break the XRP Ledger’s forthcoming lending stack—earlier than it ships. In a coordinated program with Immunefi, the corporate unveiled a $200,000 “Attackathon” geared toward hardening the proposed XRPL Lending Protocol, a ledger-native system for fixed-term, uncollateralized credit score ruled by the rising XLS-66 commonplace.

“We are collaborating with @immunefi to arrange a $200K Attackathon to check and strengthen the proposed XRP Ledger Lending Protocol,” RippleX wrote on X on October 13, including that the competitors focuses on “greater than 35K traces of C++ code” and is paired with an academic monitor to onboard researchers to XRPL specifics.

Immunefi posted through X: “We’ve partnered with RippleX to launch a $200,000 Attackathon serving to safe the proposed XRPL Lending Protocol. This is a time-boxed, adversarial competitors to determine vulnerabilities earlier than the protocol reaches manufacturing.”

Ripple Invites Hackers to Test the XRP Ledger

The Attackathon is preceded by an “XRPL Attackathon Academy” that Immunefi says offers ledger-specific walkthroughs, Devnet guides, check environments and a C++ curriculum, plus direct entry to Ripple engineers through the training window.

The program’s core pool totals $200,000, with flat distribution guidelines and efficiency bonuses. The most consequential result’s binary: if even one legitimate essential vulnerability is discovered, the complete pool unlocks; if not, a $30,000 fallback is cut up amongst researchers who nonetheless submit legitimate insights.

Immunefi’s public temporary additionally names the first, in-scope parts focused by researchers, together with XLS-66 (Lending Protocol), XLS-65 (Single-Asset Vaults), XLS-33 (Multi-Purpose Tokens), XLS-70 (Credentials), XLS-77 (Deepfreeze), and XLS-80 (Permissioned Domains)—a window into how Ripple envisions lending, liquidity, id/permissions, and asset controls interlocking on the base layer.

Immunefi’s launch weblog lists the training interval as October 13–27 and the Attackathon as October 27–November 29, 2025. The Academy web page additional specifies rewards paid in RLUSD, Ripple’s dollar-pegged stablecoin, and confirms that Immunefi will triage studies and require KYC.

Ripple has been telegraphing this structure all through September, positioning XLS-65 and XLS-66 because the nucleus of an institutional credit score market constructed into the ledger, slightly than stitched on through exterior sensible contracts. The firm’s personal technical temporary describes pooled lending, on-chain enforcement and underwritten, off-chain credit score analysis, whereas adjoining requirements—Permissioned Domains, Deepfreeze and Credentials—are designed to map compliance, recoverability and id controls to ledger-native primitives.

The security-first rollout displays a broader trade shift towards pre-production “offense testing” on non-EVM codebases and at-protocol designs, the place standard smart-contract bug courses don’t at all times apply. Immunefi’s temporary makes clear what issues most for the XRPL stack: something that compromises fund safety or vault solvency, misrepresents curiosity accrual or debt, subverts clawback/freeze semantics, manipulates administrative data, or bypasses permissioned entry controls.

Those priorities map on to the design’s declare to keep away from wrapped belongings and third-party contracts, that means the bounty successfully challenges researchers to seek out ledger-level logic flaws slightly than Solidity-style pitfalls. “This program is a time-boxed, adversarial competitors, the place safety researchers dive into the code to make sure the protocol has the strongest doable safety posture, surfacing vulnerabilities earlier than they attain manufacturing,” Immunefi wrote.

At press time, XRP traded at $2.46.