RippleX has launched a $200,000 security competition inviting hackers to identify vulnerabilities in the XRP Ledger's proposed lending protocol before it goes live, partnering with blockchain security platform Immunefi to conduct what the companies call an "Attackathon" focused on more than 35,000 lines of C++ code.
What to Know:
- RippleX and Immunefi are running a time-boxed adversarial competition from October 27 through November 29, 2025, targeting the proposed XRPL Lending Protocol and six related technical standards.
- The full $200,000 prize pool unlocks if researchers discover even one critical vulnerability; otherwise, a $30,000 fallback reward will be distributed among participants who submit valid findings.
- The program tests ledger-native lending infrastructure built directly into the XRP Ledger rather than through external smart contracts, covering fixed-term, uncollateralized credit systems governed by the XLS-66 standard.
Testing Protocol Security Before Launch
RippleX announced the initiative on October 13, stating the competition would "test and strengthen" the lending protocol while providing an educational track to help security researchers understand the XRP Ledger's architecture. Immunefi described the effort as a "time-boxed, adversarial competition to identify vulnerabilities before the protocol reaches production."
The program includes an education phase running from October 13 through October 27, during which Immunefi is providing ledger-specific tutorials, Devnet guides, test environments and C++ curriculum materials.
Security researchers will have direct access to Ripple engineers during this window.
The actual competition runs from October 27 through November 29.
Rewards will be paid in RLUSD, Ripple's dollar-pegged stablecoin, and participants must complete know-your-customer verification through Immunefi's triage process. The prize structure creates a binary outcome: if researchers find at least one critical vulnerability, the entire $200,000 pool becomes available under flat distribution rules with performance bonuses. If no critical flaws surface, Immunefi will split $30,000 among those who submitted valid lower-severity findings.
Technical Standards and Institutional Credit
The Attackathon targets six technical standards that form the foundation of what Ripple calls "institutional DeFi" on the XRP Ledger. The primary focus is XLS-66, which defines the lending protocol itself, but researchers will also examine XLS-65 for single-asset vaults, XLS-33 for multi-purpose tokens, XLS-70 for credentials, XLS-77 for deepfreeze functionality and XLS-80 for permissioned domains.
These standards reflect Ripple's approach to building credit markets directly into the ledger rather than layering them on top through smart contracts. The company's technical documentation describes a system for pooled lending with on-chain enforcement paired with off-chain credit evaluation.
Adjacent standards handle compliance requirements, asset recoverability and identity controls as native ledger functions.
Immunefi's competition brief specifies that researchers should concentrate on vulnerabilities affecting fund security, vault solvency, interest calculations, debt representation, clawback mechanisms, freeze semantics, administrative records and permissioned access controls. The emphasis on ledger-level logic distinguishes this program from typical smart contract bug bounties that focus on Solidity or Ethereum Virtual Machine issues.
Ripple has discussed this architecture throughout September, positioning the lending and vault standards as core infrastructure for institutional credit markets. The design avoids wrapped assets and third-party contracts, meaning security researchers must look for flaws in the base protocol implementation rather than contract-level vulnerabilities common to other blockchain platforms.
Understanding Key Terms
The XRP Ledger operates as a decentralized payment network that processes transactions through a consensus protocol rather than proof-of-work mining. Unlike blockchains that run smart contracts in virtual machines, XRPL implements new features through amendments to the core protocol, requiring validator approval before activation.
This architectural difference means new functionality like lending protocols must be built into the ledger's C++ codebase rather than deployed as separate contract code.
Uncollateralized lending, a central feature of the proposed protocol, allows borrowers to obtain credit without depositing assets as security. This approach requires robust identity verification and credit assessment mechanisms, which the XLS-70 credentials standard aims to provide. Fixed-term loans operate on predetermined schedules with defined repayment dates, contrasting with the perpetual, variable-rate arrangements common in decentralized finance applications.
The term "Attackathon" combines "attack" and "marathon," describing an intensive, time-limited security audit where researchers compete to find vulnerabilities. Bug bounty programs typically run indefinitely with rewards scaling to vulnerability severity, while Attackathons compress the testing period and offer pooled prizes to create urgency. Immunefi specializes in these competitions for blockchain projects, having conducted similar programs for other protocols before launch.
RLUSD, Ripple's stablecoin that will be used for competition payouts, maintains a one-to-one peg with the U.S. dollar through reserve backing.
Closing Thoughts
The security program represents a shift toward adversarial testing before production deployment, particularly for non-Ethereum blockchain architectures where conventional smart contract vulnerabilities may not apply. At press time, XRP traded at $2.46, with the lending protocol's eventual launch date not yet announced pending the outcome of the security competition.