메인넷 진입: XRPL 대출 프로토콜의 보안 우선 접근법
출처: Dev.to
지난 몇 달간 XRP 레저(XRPL)는 개념에서 메인넷으로 업그레이드가 이동하는 방식에 근본적인 변화를 겪었습니다. 과거에는 업그레이드 개발이 기능 정확성, 성능 테스트, 전통적 보안 감사, 버그 bounty, 그리고 독립 검증자 테스트를 중심으로 이루어졌으며, 이는 보안 취약점을 포착하기 위한 마지막 방어선 역할을 했습니다.
XRPL이 복잡성이 커지고 네트워크에 보호되는 가치가 증가함에 따라, 이전 모델은 더 이상 충분하지 않다는 것을 인식했습니다. AI의 발전은 취약점 발견 비용을 빠르게 감소시키고 있으며, 따라서 개발 라이프사이클 초기에 문제를 식별하는 것이 점점 더 중요해졌습니다. 이에 우리는 보다 강력하고 반복 가능하며 방어 깊이가 강화된 모델을 구축하기로 결심했으며, 이는 핵심적인 취약점, 합의 위험, 기능 상호작용 버그가 메인넷에 도달하는 것을 더욱 어렵게 만들었습니다.
그 결과, 업그레이드 활성화에 필요한 기준이 크게 높아졌으며, 사양 rigor(정밀도), 적대적 테스트, 여러 독립 감사, 전문 보안 연구자와 함께 하는 Attackathon, AI 지원 보안 검토, 단계적 배포가 결합되었습니다.
Lending Protocol (XLS-66)과 Single Asset Vault (SAV - XLS-65)는 이 전체 리뷰 과정을 거친 최초의 주요 업그레이드 중 하나이며, XRPL 역사상 가장 엄격하게 테스트된 업그레이드 중 하나입니다.
또한 2012년 이후 XRP 레저에 추가된 가장 중요한 새로운 금융 기능을 대표하며, Single Asset Vault를 기반으로 한 대출 및 빌딩을 위한 네이티브 원시값을 도입했습니다. Lending Protocol과 SAV는 핵심 XRPL 프로토콜에 직접 대출 및 빌딩 기능을 가져오면서 Institutional DeFi(기관형 DeFi)의 역량을 강화합니다.
본 보고서는 XRPL가 지금까지 출시한 가장 재무적으로 복잡한 기능 중 하나의 개발 및 보안 과정에 대한 투명성을 제공합니다.
문맥을 위해, Lending Protocol은 대출 라이프사이클 상태 관리, 다중 당사자 수수료 라우팅, 이자율 산술, 자격 기반 권한 부여, Single Asset Vault(SAV)와 tight coupling(강한 결합)을 포함하고 있습니다. 각 구성 요소는 고유한 보안 및 정확성 요구 사항을 도입합니다.
Moreover, Single Asset Vault는 표면적으로는 (예금, 인출, shares 조회) 간단해 보이지만, 실제로는 share 가격 모델을 도입하여 다른 기능과 접촉하는 모든 부분에 새로운 경제적 공격 표면을 만들기 때문에 매우 복잡합니다.
아래 섹션들은 이 두 업그레이드가 메인넷 제안에 도달하기 전 10개의 리뷰, 테스트, 내부 및 외부 검증 단계를 거친 과정을 개요합니다. 또한, 연초부터 AI 지원 검토와 형식적 방법을 일상 개발의 기본 부분으로 활용하게 된 과정에 대한 정보도 제공합니다.
Phase 0: Internal Quality & Performance Testing (Early 2025) Before any external auditor touched the code, RippleX’ s core engineering team put both the Lending and SAV amendments through extensive internal quality assurance and performance testing. This included unit tests, integration tests, fuzzing, and load testing to validate correctness, stability, and performance under stress.
Next, the Lending Protocol and SAV were submitted to Halborn (end-to-end security firm covering services from smart contract auditing to independent security assessments).
Phase 1: Initial SAV Audit by Halborn (February–April 2025) Security review began with the Single Asset Vault. Halborn conducted a dedicated smart contract assessment from February 17 to March 13, 2025, covering all core vault transaction types (VaultCreate, VaultDeposit, VaultWithdraw, VaultSet, VaultDelete, and VaultClawback) along with share token management, asset handling, and access controls.
Halborn identified 7 findings across the SAV codebase: 2 Critical, 1 High, 2 Medium, 1 Low, and 1 Informational. The critical findings addressed insufficient amount validation in vault operations and a flaw where the vault failed to account for IOU transfer fees.
100% of all reported findings were addressed before the SAV moved forward.
For a detailed look at how Halborn collaborated with RippleX’ s engineering team across these audits, see their published case study.
Phase 3: Immunefi Attackathon - $200K Public Bug Bounty (October–November 2025) Rather than stop at private audits, Ripple partnered with Immunefi to run a public Attackathon - opening both the Lending Protocol and SAV to adversarial testing by the global security research community. This was the first public program of its kind and yielded significant results.
The Attackathon launched on October 27, 2025 with a $200,000 prize pool (paid in RLUSD). A two-week learning period preceded the live window, giving researchers access to educational resources and full scope documentation covering 35,498 lines of C/CC++ code.
The results were:
- 455 total submissions from 131 unique researchers
- 94 unique valid findings out of 183 valid submissions after triage
- Final severity breakdown: 15 Critical · 19 High · 17 Medium · 20 Low · 23 Insights
54 eligible researchers paid out after KYC, with the full $200K distributed
The triage period closed January 7, 2026, and all findings were reviewed by RippleX’ s core engineering team, which addressed every identified issue and prepared the codebase for re-audit. Immunefi report is published here.
Building on the findings from v1.0, we are planning a v1.1 enhancement amendment to incorporate partner feedback and operational learnings. The release includes both user-facing improvements and targeted protocol enhancements and is scheduled for Q3 this year.
Phase 4: Halborn Re-Audit Post-Attackathon (December 2025–January 2026) With all critical/high and medium Attackathon findings fixed, we submitted the updated Lending Protocol codebase to Halborn for a second audit starting December 15, 2025. This was a full month engagement covering the entire protocol after incorporating fixes from both the original audits and the Attackathon.
Halborn delivered the re-audit in January 2026. RippleX’ s engineering team finalized all remaining fixes before the mainnet release.
Phase 5: Mainnet Release & Validator Voting (January 2026) On January 28–29, 2026, the Lending Protocol and Single Asset Vault shipped in rippled v3.1.0 and went live for initial validator voting and independent community testing by validators and core developers.
Phase 6: Independent Community Testing (March 2026) The XRPL Commons independently tested the Single Asset Vault, running 257 test cases across 10 categories covering every transaction type, edge case, and adversarial scenario they could identify. 257 out of 257 tests passed, representing a 100% pass rate. Squid UNL validator performed extensive testing in April 2026 (here).
Phase 7: Red Team Activities and Bug Bounty (March - May 2026) Between March and May 2026, the Lending Protocol and SAV went through the most rigorous pre-launch security process of any XRPL feature to date, across three parallel tracks on top of community testing:
- AI Red Team: The AI-assisted red team filed 20 Lending Protocol-specific tickets. Seven confirmed bugs were fixed including an inverted invariant that would have allowed phantom collateral to go undetected, a fee-free network spam vector in LoanPay, and a node deadlock via integer overflow.
- Bug Bounty: Multiple researchers submitted reports during the review period. One report identified a confirmed first-depositor vault attack that could result in fund loss and has since been remediated. Other submissions related to known issues for which mitigations were already planned or underway.
- Fuzz Testing: We also completed extensive fuzz testing for the Lending Protocol and SAV, including multi-hour runs through the fuzz testing