Loopscale Hack

On April 26, 2025, at 15:28 UTC, Loopscale, a Solana-based DeFi lending and borrowing protocol launched just two weeks earlier on April 10 after a six-month closed beta, suffered a $5.8 million exploit representing 12% of its ~$40 million TVL. The attacker deployed a malicious program (BdADVdaAdDbFo85EP2ynEanQQMDDJgPyTZmAKtaHKRbK) to manipulate the protocol’s pricing mechanism for RateX PT tokens, enabling a series of undercollateralized loans that drained ~5.7 million USDC and 1,200 SOL from the USDC and SOL vaults via key transactions like 3LcknBmavGUAMJvNMAc5xwsLqFaKs3vfguWsoTNYzpBv76B4ChiagitSHogpdMwWZpuKDV3a62uT4wXn2SvLZvGP and 55dmSjy4Whjfqbfp8LwRduzTwz1fDeLu6aj8STqDXeiezZneNJwr2XiX3Qy7yWb2G2DL3d991ACD6sejNkQ7eH5Q. The stolen USDC was swapped for SOL and bridged via Wormhole to an EVM wallet (0xc9d30E520Af584d0867FfC71DE162f1C09987Fe8) from attacker wallets 4QsqugQcrCuSVzU9WjeLDoR6HaaSZtMEZr5JCyxwHgCV and C1QyPYoWQiueqhtLeaG5Nhkv1LJ8oweBNCbfGJ3LprYT, but funds were later frozen. Loopscale co-founder Mary Gooneratne confirmed the breach on X, immediately pausing lending markets while re-enabling loan repayments, top-ups, and loop closures; vault withdrawals remained restricted during investigation. Backed by $4.25 million from Solana Labs and Coinbase Ventures (originally Bridgesplit), the protocol—featuring order book matching for fixed-rate loans across 40+ pairs like JitoSOL and BONK—mobilized with law enforcement and security firms (despite a February 2025 OShield audit missing the pricing flaw). On April 27, they offered a 10% bounty (~$580,000) for 90% fund return with liability release; the attacker responded on April 28, leading to successful negotiations. By April 29, ~$2.88 million in 19,463 WSOL was recovered, and ultimately all funds (~5.7M USDC and 1,211 SOL) were returned with no user losses, highlighting effective tracing, blocking, and white-hat diplomacy. The incident, amid Q1 2025’s $1.6B hacks (90% from Bybit), underscores Solana DeFi risks two weeks post-launch, advocating TWAP pricing, robust oracle resistance, comprehensive audits for complex collateral, and multi-sig/off-chain protections despite the on-chain flaw.