Summary

On April 26, 2025, Loopscale was targeted in an attack that exploited the protocol’s pricing logic for RateX-issued tokens. By spoofing the RateX PT market programs, the attacker was able to take out a series of undercollateralized loans, resulting in the unauthorized outflow of 5,726,724.97 USDC and 1,211.4 SOL from the USDC and SOL Genesis Vaults. All funds were subsequently recovered following negotiations.

We take full responsibility for this incident and deeply regret the impact it had on our users. The exploited code path was deployed as part of a new integration with RateX and had not yet undergone a formal third-party audit. This was a clear failure in our review and deployment process. Going forward, no program code will be deployed without external review. Additional security measures are detailed in Security Improvements below.

We want to extend our sincerest gratitude for the critical support of partners across the ecosystem. In particular, we want to thank Jonathan from Asymmetric Research, Sec3, the entire SEAL 911 team, especially Nick, pcaversaccio, and Tay, XJ from Peckshield, Robert and Renato from OtterSec, and Francesco from Almanax.

We’re also deeply thankful to our users for their continued trust and patience as we work to restore full protocol functionality.

Exploit Analysis

The exploit stemmed from an incomplete validation of the RateX program used to price RateX principal tokens (PT tokens). The vulnerable code was introduced on March 27 as part of an upgrade to support RateX collateral markets. RateX implements each of its markets as a standalone program exposing a get_pt_price instruction. Loopscale relies on this instruction’s output via cross-program invocation (CPI), in conjunction with Pyth oracle feeds, to calculate collateral value.

While the Loopscale protocol enforced program validations for Exponent PT tokens and RateX PT Loops, it failed to extend the same checks to non-Loop borrows collateralized by RateX tokens. This gap allowed the attacker to deploy a malicious program that spoofed the interface of a valid RateX market. The program returned an artificially inflated PT exchange rate via get_pt_price, enabling the series of loans that effectively bypassed health checks.

This was a targeted technical exploit of a specific integration path, not a failure of Loopscale’s economic model or protocol architecture. The core order book logic and vault mechanics functioned as intended and were not compromised.

Incident Timeline

Time (UTC)
Activity
Transaction(s)
April 26 12:51 PMAttacker swaps Monero for SOL to fund Wallet 1 (84dz…dA4V) via ChangeNow.5gUk…MkEb
April 26 1:16 PM - 1:34 PMAttacker swaps SOL for USDe and kySOL and mints PTUSDe and PTkySOL via RateX.5EFA…Te87, YLye…MctE, 3tcp…TNno, 5ckr…BMNh
April 26 1:35 PM - 1:39 PMAttacker transfers SOL, PTUSDe, and PTkySOL to Wallet 2 (C1Qy…prYT), the exploit wallet.3616…Fi4e, 2y5n…XgSd, hAyB…Pkh5
April 26 2:15 PMAttacker swaps Monero for SOL to fund Wallet 2 via ChangeNow.7UZN…y65M
April 26 2:44 PM - 3:17 PMAttacker deploys test program (8iHA…oMyk) and exploit program (BdAD…KRbK).c5fv…yH2n, 5Lrg…7Xxc
April 26 3:28 PMAttacker borrows 1,500,000 USDC.2Cti…rRrq
April 26 3:29 PMAttacker borrows 1,500,000 USDC.55dm…eH5Q
April 26 3:30 PMAttacker borrows 1,500,000 USDC.Xxks…beub
April 26 3:30 PMAttacker borrows 1,226,725 USDC.2SkC…F2RJ
April 26 3:31 PMAttacker swaps 5,726,725 USDC for 38,261 SOL via Jupiter.bR4Y…Lz7H
April 26 3:32 PMAttacker borrows 1,211.4 SOL.3Lck…ZvGP
April 26 3:37 PMAttacker transfers 39,474.5 SOL to Wallet 3 (4Qsq…HgCV).4uG4…igN7
April 26 3:47 PM - 4:23 PMLoopscale disables new borrows from Vaults, disables new borrows from the protocol, and then pauses all protocol functionality.
April 26 3:52 PMLoopscale creates war room with SEAL 911 via Telegram.
April 26 4:55 PM - 5:08 PMAttacker swaps 10 SOL for ETH to fund Wallet 4 (0x05…038c) via ChangeNow and bridges a total of 15,000 SOL via Wormhole.3vLa…n8iJ, 4KHQ…1QU2, Fcaf…ahTH
April 26 5:10 PMAttacker initiates bridge of 20,000 SOL to Wallet 4 via Wormhole.5Xzy…Gm1e
April 26 8:15 PMLoopscale re-enables loan repayment and close-loop functionality.
April 27 4:38 AMAttacker transfers 15,000 WSOL and 0.5 ETH to Wallet 5 (0xc9…7Fe8).0xed…8b85, 0x6e…2150
April 27 10:12 AMLoopscale sends an on-chain message to Wallet 4. On-chain and email communications follow.0x6d…d646
April 27 6:54 PMAttacker returns 5,000 SOL to Loopscale (0xc4…5329).0x4a…72f0
April 28 6:18 AMAttacker returns 10,000 SOL to Loopscale.0x17…95ce
April 28 7:03 PMAttacker returns 4,463.95 SOL to Loopscale (stnD…JH4j).66Yq…axei
April 29 7:16 PM - 7:33 PM20,000 SOL bridged transfer settles on Ethereum. Attacker returns settled funds, completing fund recovery.0xda…a110, 0xa9…7860
April 30 7:11 PMLoopscale re-enables Advanced Lending management/withdrawals.
May 8 2:00 PMLoopscale re-enables vault withdrawals following additional code reviews.

Impact

The exploit impacted the USDC and SOL Genesis Vaults, leading to temporary losses of 5,726,724.97 USDC across 3,126 depositors and 1,211.4 SOL across 2,047 depositors. All funds were fully recovered through coordinated efforts with ecosystem partners. Loopscale is reimbursing a $29,000 discrepancy caused by the attacker swapping USDC at less favorable rates than those at which the funds were later reacquired. No user deposits incurred any loss.

The vulnerability was limited to loans backed by RateX principal tokens. No other vaults or advanced lending positions were affected. Existing safeguards, including market isolation, collateral segregation, and liquidity buffers, helped contain the impact.

In response, protocol functionality was paused. Loan repayments and closure of Loops were re-enabled on April 26, followed by Advanced Lending position management/withdrawals on April 30. Vault withdrawals were enabled today, May 8, with 24-hour per-user limits. Borrowing and looping remain paused pending the completion of Sec3’s audit and security improvements.

Response & Remediation

Immediate Mitigation

Several existing protocol safeguards helped contain the impact of the exploit:

  • Market Isolation: Eligible collateral configurability ensured no other vaults or Advanced Lending positions were affected.
  • Non-Rehypothecated Collateral: Per-loan collateral segregation ensured the safety of borrower collateral deposits.
  • Liquidity Buffers: Withdrawal buffers limited the funds at risk.
  • Emergency Protocol Pause: Core functionality was paused shortly after the exploit occurred.

While these measures helped reduce the scale of the incident, they were far from sufficient. Future releases will include significantly stronger safeguards to prevent similar failures.

Fund Recovery

Following the exploit, Loopscale engaged SEAL 911 to coordinate incident response. Over the next 12 hours, we shared exploit details with Wormhole Network contributors, notified centralized exchanges and swapping services to restrict off-ramping or swapping, and escalated the case with law enforcement. Due to the sensitive nature of the incident, we cannot comment on the investigation any further for now.

Communications with the attacker were initiated via an on-chain message the morning of April 27, leading to the full return of misappropriated funds over the next 48 hours.

Vulnerability Patch

To close the vulnerability, the exploited check was updated to enforce strict validation of RateX program IDs during loan health checks. All related instructions were reviewed to ensure reliability and integrity of program inputs.

These changes eliminate the exploit vector by ensuring that only validated program accounts can be used during loan execution. The patch was reviewed by Sec3 and two additional third-party security auditors.

Security Improvements

To strengthen protocol security and prevent future exploits, Loopscale is introducing a comprehensive set of technical and operational safeguards:

Core Protocol Safeguards

  • Expanded Audit Coverage: Our ongoing engagement with Sec3 covers the full program library, including all collateral pricing integrations. Additional audits are scheduled to be completed in the coming months.
  • Bug Bounty Program: Following the completion of additional audits, Loopscale will launch a formal bug bounty program.
  • Progressive, Feature-Specific Audits: No program functionality or updates will be deployed without a formal third-party audit.
  • Operational Monitoring: While Loopscale has a number of monitoring and alerting systems in place, additional weekly reviews of failed transactions, backend logs (tracked via Sentry), and anomalous RPC activity are now formalized as operational procedures.
  • Program Access Controls: Market, vault, and oracle parameter updates are now gated by multisig authorization as an additional safeguard against unauthorized changes.

These measures reflect a broader shift toward security-first development we are committed to sustaining across all future releases.

Program-Level Vault Risk Controls

In the next protocol release, Loopscale will expand risk management functionality for Vaults and Advanced Lending Positions to mitigate systemic risks, manage liquidity flows, and contain abnormal activity. This release will include:

  • Borrow, Supply, and Withdrawal Caps: Time-based and total limits
  • Collateral Exposure Limits: Constraints on how much can be borrowed against a single asset to reduce concentration risk
  • Loan Approval Thresholds: Manual and delayed approval mechanisms for large loans
  • Withdrawal Queues: FIFO processing for transparent and orderly withdrawals during stressed market conditions

All parameters are optional and configurable per-vault by the Vault Curator and per-position by Advanced Lending depositors. Future Vaults curated by Loopscale will adopt a conservative risk profile leveraging this functionality.

Temporary Instruction Co-Signing

To reinforce protocol integrity ahead of additional audits, Loopscale has introduced a temporary security measure requiring all instruction calls to be programmatically co-signed by Loopscale. This means every transaction must be constructed and validated by our backend sever before execution, adding a layer of off-chain security on top of the standard program logic.

This measure directly mitigates the vector used in Saturday’s exploit, whereby malicious programs were able to invoke our program instructions with unverified data. Importantly, users remain fully in control of their funds. Our backend cannot initiate transactions independently.

This will serve as a short-term safeguard until pending audits are completed.

Looking Ahead

We sincerely apologize for the disruption this incident has caused our users and partners. We recognize the importance of trust in the DeFi ecosystem, and we are committed to restoring it through transparent, verifiable measures.

This event has surfaced areas for operational and infrastructural improvements. In response, we are implementing safeguards and processes to make Loopscale more resilient and secure going forward.

The re-enablement of full protocol functionality will be rolled out in stages, with user safety and confidence as our top priorities. We’ll be sharing more about the path forward soon.

Thank you again to the community for your continued support and contributions. Your trust is not taken for granted. We remain committed to rebuilding trust, building a stronger Loopscale, and pioneering the next generation of on-chain credit.