Solana DeFi’s Loopscale Loses $5.8M in Major Breach
Loopscale, a Solana-based DeFi platform, reported a major security breach that impacted its USDC and SOL vaults, resulting in a loss of approximately $5.8 million, or about 12% of its total value.
This exploit occurred just two weeks after the platform’s official launch.
Today at 11:30AM EST, a manipulation of Loopscale’s RateX PT token pricing functions led to an exploit of ~5.7M USDC and 1,200 SOL from the Loopscale USDC and SOL Vaults. All Loopscale markets have been temporarily halted while our team investigates further.
This exploit…
— Loopscale (@LoopscaleLabs) April 26, 2025
Mary Gooneratne, co-founder of Loopscale, confirmed that the attack was carried out by exploiting under-collateralised loans.
Today, an attacker took out a series of undercollateralized loans on the protocol, exploiting the Loopscale USDC and SOL Vaults for ~$5.8M
The exploit represents about 12% of funds on Loopscale.
Our team is fully mobilized to investigate, recover funds, and ensure users are… https://t.co/Up9JYZkcGn
— Mary Gooneratne (@marygooneratne) April 26, 2025
Investigations traced the vulnerability to a flaw within the platform’s RateX-based collateral pricing system, where attackers manipulated RateX PT token pricing functions.
This exploitation led to the theft of 1,200 SOL and $5.7 million in USDC.
Update: Loopscale has re-enabled loan repayments, top-ups, and loop closing. All other app functions (including Vault withdrawals) are still temporarily restricted while we investigate and ensure mitigation of this exploit.
The root cause of the exploit has been identified as an… https://t.co/Pk2pMx8UcK
— Loopscale (@LoopscaleLabs) April 26, 2025
Notably, Loopscale emphasized that the RateX protocol itself was not compromised.
This is an exploit stemming specifically from from the RateX PT token markets on Loopscale. RateX itself is unaffected.
— Loopscale (@LoopscaleLabs) April 26, 2025
Loopscale Limits Certain Functions Following Exploit
In response to the breach, Loopscale temporarily suspended all markets to assess the extent of the damage.
All markets have been halted temporarily while we investigate and pursue next steps.
Our team is working on resuming program functions as soon as possible, with withdrawals taking priority.
— Loopscale (@LoopscaleLabs) April 26, 2025
After a brief downtime, the protocol resumed certain functions, allowing loan repayments, collateral top-ups, and the closing of positions, while vault withdrawals remained restricted.
The breach primarily impacted Loopscale’s USDC and SOL vault depositors, though borrowers and loopers were not directly affected.
Loopscale has committed to providing transparency on the number of users impacted, outlining how vault holders can access their funds, and releasing a detailed technical post-mortem.
Earlier this year, OShield, which audited the protocol in January and February, flagged several vulnerabilities, although these were later addressed according to Loopscale’s FAQ.
An ongoing audit by Sec3 is currently assessing the protocol’s security.
Exploiter Willing to Return Stolen Funds for Bounty
In an effort to recover the stolen funds, Loopscale extended a 10% bounty offer to the attacker and proposed a whitehat agreement.
The platform requested the return of 90% of the stolen assets, warning that legal action will follow if the attacker fails to respond by 28 April.
The Loopscale team has sent the following message to the address of the exploiter:
We are aware that you exploited a vulnerability in Loopscale’s pricing system earlier today. We are working closely with law enforcement, security firms, exchanges, and bridge protocols, to… https://t.co/MCoGpyxRB4
— Loopscale (@LoopscaleLabs) April 27, 2025
Loopscale is collaborating with security firms and law enforcement agencies to address the breach.
As an update to our users, we are continuing to address yesterday's exploit.
Later today, we will provide an update on re-enabling vault withdrawals, which are currently disabled as a safety measure while we complete our investigation of the exploit.
As mentioned in previous…
— Loopscale (@LoopscaleLabs) April 27, 2025
Loopscale added:
“We agree to allow you to retain a bounty of 10% of the funds (3,947 SOL) and release you from any and all liability regarding the attack.”
As of the latest update, the attacker has shown a willingness to return the stolen funds in exchange for the offered bounty.
You can view their initial response here:https://t.co/J8EW8E15oa
— Loopscale (@LoopscaleLabs) April 28, 2025
DeFi Sector Has Lost Almost $2B to Attacks in 2025
By Q1 2025, over $1.6 billion had been lost in DeFi attacks, with platforms like zkLend, Ionic Money, Cardex, Four.Meme, Cashverse, BankX, and GoldReserve NFT among those impacted.
February alone saw more than $1.53 billion drained in nine separate incidents, marking a 20% increase from January and an 18-fold surge from February 2024.
High-profile breaches, such as Bybit’s $1.46 billion hack in February, have shaken industry confidence.
This alarming trend highlights growing concerns over the security vulnerabilities of DeFi platforms in 2025.
Tim Haldorsson, founder of Lunar Strategy, raised the critical question of whether the potential returns from DeFi justify the escalating risks of exploitation.
Today both @LoopscaleLabs and @term_labs got hacked and lost millions each 🤷
How safe is actually all this defi?
We are chasing yield, but hack-adjusted is it actually better than just holding bonds? https://t.co/dnhw6n9yol
— Tim Haldorsson (@TimHaldorsson) April 26, 2025
