Post-Mortem: PT Collateral Pricing Incident
May 8, 2025
Summary
On April 26, 2025, Loopscale was targeted in an attack that exploited the protocol’s pricing logic for RateX-issued tokens. By spoofing the RateX PT market programs, the attacker was able to take out a series of undercollateralized loans, resulting in the unauthorized outflow of 5,726,724.97 USDC and 1,211.4 SOL from the USDC and SOL Genesis Vaults. All funds were subsequently recovered following negotiations.
We take full responsibility for this incident and deeply regret the impact it had on our users. The exploited code path was deployed as part of a new integration with RateX and had not yet undergone a formal third-party audit. This was a clear failure in our review and deployment process. Going forward, no program code will be deployed without external review. Additional security measures are detailed in Security Improvements below.
We want to extend our sincerest gratitude for the critical support of partners across the ecosystem. In particular, we want to thank Jonathan from Asymmetric Research, Sec3, the entire SEAL 911 team, especially Nick, pcaversaccio, and Tay, XJ from Peckshield, Robert and Renato from OtterSec, and Francesco from Almanax.
We’re also deeply thankful to our users for their continued trust and patience as we work to restore full protocol functionality.
Exploit Analysis
The exploit stemmed from an incomplete validation of the RateX program used to price RateX principal tokens (PT tokens). The vulnerable code was introduced on March 27 as part of an upgrade to support RateX collateral markets. RateX implements each of its markets as a standalone program exposing a get_pt_price
instruction. Loopscale relies on this instruction’s output via cross-program invocation (CPI), in conjunction with Pyth oracle feeds, to calculate collateral value.
While the Loopscale protocol enforced program validations for Exponent PT tokens and RateX PT Loops, it failed to extend the same checks to non-Loop borrows collateralized by RateX tokens. This gap allowed the attacker to deploy a malicious program that spoofed the interface of a valid RateX market. The program returned an artificially inflated PT exchange rate via get_pt_price
, enabling the series of loans that effectively bypassed health checks.
This was a targeted technical exploit of a specific integration path, not a failure of Loopscale’s economic model or protocol architecture. The core order book logic and vault mechanics functioned as intended and were not compromised.
Incident Timeline
Time (UTC) | Activity | Transaction(s) |
---|---|---|
April 26 12:51 PM | Attacker swaps Monero for SOL to fund Wallet 1 (84dz…dA4V) via ChangeNow. | 5gUk…MkEb |
April 26 1:16 PM - 1:34 PM | Attacker swaps SOL for USDe and kySOL and mints PTUSDe and PTkySOL via RateX. | 5EFA…Te87, YLye…MctE, 3tcp…TNno, 5ckr…BMNh |
April 26 1:35 PM - 1:39 PM | Attacker transfers SOL, PTUSDe, and PTkySOL to Wallet 2 (C1Qy…prYT), the exploit wallet. | 3616…Fi4e, 2y5n…XgSd, hAyB…Pkh5 |
April 26 2:15 PM | Attacker swaps Monero for SOL to fund Wallet 2 via ChangeNow. | 7UZN…y65M |
April 26 2:44 PM - 3:17 PM | Attacker deploys test program (8iHA…oMyk) and exploit program (BdAD…KRbK). | c5fv…yH2n, 5Lrg…7Xxc |
April 26 3:28 PM | Attacker borrows 1,500,000 USDC. | 2Cti…rRrq |
April 26 3:29 PM | Attacker borrows 1,500,000 USDC. | 55dm…eH5Q |
April 26 3:30 PM | Attacker borrows 1,500,000 USDC. | Xxks…beub |
April 26 3:30 PM | Attacker borrows 1,226,725 USDC. | 2SkC…F2RJ |
April 26 3:31 PM | Attacker swaps 5,726,725 USDC for 38,261 SOL via Jupiter. | bR4Y…Lz7H |
April 26 3:32 PM | Attacker borrows 1,211.4 SOL. | 3Lck…ZvGP |
April 26 3:37 PM | Attacker transfers 39,474.5 SOL to Wallet 3 (4Qsq…HgCV). | 4uG4…igN7 |
April 26 3:47 PM - 4:23 PM | Loopscale disables new borrows from Vaults, disables new borrows from the protocol, and then pauses all protocol functionality. | |
April 26 3:52 PM | Loopscale creates war room with SEAL 911 via Telegram. | |
April 26 4:55 PM - 5:08 PM | Attacker swaps 10 SOL for ETH to fund Wallet 4 (0x05…038c) via ChangeNow and bridges a total of 15,000 SOL via Wormhole. | 3vLa…n8iJ, 4KHQ…1QU2, Fcaf…ahTH |
April 26 5:10 PM | Attacker initiates bridge of 20,000 SOL to Wallet 4 via Wormhole. | 5Xzy…Gm1e |
April 26 8:15 PM | Loopscale re-enables loan repayment and close-loop functionality. | |
April 27 4:38 AM | Attacker transfers 15,000 WSOL and 0.5 ETH to Wallet 5 (0xc9…7Fe8). | 0xed…8b85, 0x6e…2150 |
April 27 10:12 AM | Loopscale sends an on-chain message to Wallet 4. On-chain and email communications follow. | 0x6d…d646 |
April 27 6:54 PM | Attacker returns 5,000 SOL to Loopscale (0xc4…5329). | 0x4a…72f0 |
April 28 6:18 AM | Attacker returns 10,000 SOL to Loopscale. | 0x17…95ce |
April 28 7:03 PM | Attacker returns 4,463.95 SOL to Loopscale (stnD…JH4j). | 66Yq…axei |
April 29 7:16 PM - 7:33 PM | 20,000 SOL bridged transfer settles on Ethereum. Attacker returns settled funds, completing fund recovery. | 0xda…a110, 0xa9…7860 |
April 30 7:11 PM | Loopscale re-enables Advanced Lending management/withdrawals. | |
May 8 2:00 PM | Loopscale re-enables vault withdrawals following additional code reviews. |
Impact
The exploit impacted the USDC and SOL Genesis Vaults, leading to temporary losses of 5,726,724.97 USDC across 3,126 depositors and 1,211.4 SOL across 2,047 depositors. All funds were fully recovered through coordinated efforts with ecosystem partners. Loopscale is reimbursing a $29,000 discrepancy caused by the attacker swapping USDC at less favorable rates than those at which the funds were later reacquired. No user deposits incurred any loss.
The vulnerability was limited to loans backed by RateX principal tokens. No other vaults or advanced lending positions were affected. Existing safeguards, including market isolation, collateral segregation, and liquidity buffers, helped contain the impact.
In response, protocol functionality was paused. Loan repayments and closure of Loops were re-enabled on April 26, followed by Advanced Lending position management/withdrawals on April 30. Vault withdrawals were enabled today, May 8, with 24-hour per-user limits. Borrowing and looping remain paused pending the completion of Sec3’s audit and security improvements.
Response & Remediation
Immediate Mitigation
Several existing protocol safeguards helped contain the impact of the exploit:
- Market Isolation: Eligible collateral configurability ensured no other vaults or Advanced Lending positions were affected.
- Non-Rehypothecated Collateral: Per-loan collateral segregation ensured the safety of borrower collateral deposits.
- Liquidity Buffers: Withdrawal buffers limited the funds at risk.
- Emergency Protocol Pause: Core functionality was paused shortly after the exploit occurred.
While these measures helped reduce the scale of the incident, they were far from sufficient. Future releases will include significantly stronger safeguards to prevent similar failures.
Fund Recovery
Following the exploit, Loopscale engaged SEAL 911 to coordinate incident response. Over the next 12 hours, we shared exploit details with Wormhole Network contributors, notified centralized exchanges and swapping services to restrict off-ramping or swapping, and escalated the case with law enforcement. Due to the sensitive nature of the incident, we cannot comment on the investigation any further for now.
Communications with the attacker were initiated via an on-chain message the morning of April 27, leading to the full return of misappropriated funds over the next 48 hours.
Vulnerability Patch
To close the vulnerability, the exploited check was updated to enforce strict validation of RateX program IDs during loan health checks. All related instructions were reviewed to ensure reliability and integrity of program inputs.
These changes eliminate the exploit vector by ensuring that only validated program accounts can be used during loan execution. The patch was reviewed by Sec3 and two additional third-party security auditors.
Security Improvements
To strengthen protocol security and prevent future exploits, Loopscale is introducing a comprehensive set of technical and operational safeguards:
Core Protocol Safeguards
- Expanded Audit Coverage: Our ongoing engagement with Sec3 covers the full program library, including all collateral pricing integrations. Additional audits are scheduled to be completed in the coming months.
- Bug Bounty Program: Following the completion of additional audits, Loopscale will launch a formal bug bounty program.
- Progressive, Feature-Specific Audits: No program functionality or updates will be deployed without a formal third-party audit.
- Operational Monitoring: While Loopscale has a number of monitoring and alerting systems in place, additional weekly reviews of failed transactions, backend logs (tracked via Sentry), and anomalous RPC activity are now formalized as operational procedures.
- Program Access Controls: Market, vault, and oracle parameter updates are now gated by multisig authorization as an additional safeguard against unauthorized changes.
These measures reflect a broader shift toward security-first development we are committed to sustaining across all future releases.
Program-Level Vault Risk Controls
In the next protocol release, Loopscale will expand risk management functionality for Vaults and Advanced Lending Positions to mitigate systemic risks, manage liquidity flows, and contain abnormal activity. This release will include:
- Borrow, Supply, and Withdrawal Caps: Time-based and total limits
- Collateral Exposure Limits: Constraints on how much can be borrowed against a single asset to reduce concentration risk
- Loan Approval Thresholds: Manual and delayed approval mechanisms for large loans
- Withdrawal Queues: FIFO processing for transparent and orderly withdrawals during stressed market conditions
All parameters are optional and configurable per-vault by the Vault Curator and per-position by Advanced Lending depositors. Future Vaults curated by Loopscale will adopt a conservative risk profile leveraging this functionality.
Temporary Instruction Co-Signing
To reinforce protocol integrity ahead of additional audits, Loopscale has introduced a temporary security measure requiring all instruction calls to be programmatically co-signed by Loopscale. This means every transaction must be constructed and validated by our backend sever before execution, adding a layer of off-chain security on top of the standard program logic.
This measure directly mitigates the vector used in Saturday’s exploit, whereby malicious programs were able to invoke our program instructions with unverified data. Importantly, users remain fully in control of their funds. Our backend cannot initiate transactions independently.
This will serve as a short-term safeguard until pending audits are completed.
Looking Ahead
We sincerely apologize for the disruption this incident has caused our users and partners. We recognize the importance of trust in the DeFi ecosystem, and we are committed to restoring it through transparent, verifiable measures.
This event has surfaced areas for operational and infrastructural improvements. In response, we are implementing safeguards and processes to make Loopscale more resilient and secure going forward.
The re-enablement of full protocol functionality will be rolled out in stages, with user safety and confidence as our top priorities. We’ll be sharing more about the path forward soon.
Thank you again to the community for your continued support and contributions. Your trust is not taken for granted. We remain committed to rebuilding trust, building a stronger Loopscale, and pioneering the next generation of on-chain credit.