Loopscale loses $5.8M in oracle attack

Partial recovery is already in motion, according to the Loopscale team

article-image

Art by Crystal Le with Sham-ann/Shutterstock and Adobe modified by Blockworks

share

This is a segment from the Lightspeed newsletter. To read full editions, subscribe.


Loopscale Labs had one tough weekend.

Bad actors on Saturday exploited Loopscale’s pricing functions to make loan collateral seem worth more than it really was, resulting in the theft of approximately $5.7 million in USDC and 1,200 SOL (or around 12% of the platform’s total assets.)

It’s obviously not ideal to suffer an exploit just two weeks after launching, but this isn’t your typical “DeFi protocol caught with its pants down” moment. On the contrary, many DeFi folks have rallied behind Loopscale’s response to the exploit, applauding the team’s speed, professionalism and commitment to user recovery. 

Loopscale USDC and SOL vault depositors do face losses, though early signs seem to point to a partial or even full recovery. 

For those unfamiliar, Loopscale’s story ‘til now unfolds thusly. 

Loopscale is a decentralized finance (DeFi) project that automates recursive leverage to make yield farming more efficient. Loopscale’s bread and butter is “looping” — repeatedly borrowing and redepositing assets to amp up yield and capital efficiency. They weren’t the first team to try to morph this premise into a mainstream financial primitive, but they have quickly become one of the most compelling. Honestly, it’s pretty neat work.

While the looping process has historically been dangerous, Loopscale’s system offered automation, liquidation protection features, and a user experience that abstracted away many of those perceived risks. Loopscale’s vaults, known for their attractive yields and tokenized market integrations, became a favorite among farmers looking for structured, lower-friction leverage. 

Founded by a small but technically-strong team, Loopscale built a reputation as one of the more serious players among Solana’s DeFi cohort.

At the core of Loopscale’s recent growth was its adoption of RateX’s Principal Token (PT) markets. Simply put, Principal Tokens are created by splitting a yield-bearing asset into two components — principal and yield — allowing users to trade, hedge, or lock in fixed returns more flexibly. In Loopscale’s case, PT tokens were used as collateral in the vaults on the assumption that their pricing would remain tightly aligned to predictable discounting curves.

But then, on April 26, that predictable curve broke.

According to Loopscale, a person with malicious intent manipulated how its vault system priced the RateX PT tokens, making the tokens seem worth more than they were. As a result, the attacker was able to take out a series of loans that were not fully backed by collateral, managing to withdraw $5.7 million USDC and 1,200 SOL from Loopscale’s vaults.

The vulnerability was not in RateX itself, as Loopscale has emphasized. The issue was in how Loopscale’s contracts priced the RateX tokens.

RateX founder Sean Hu explained, “Based on our investigation, the Loopscale incident has been confirmed as an oracle attack. The attacker manipulated the oracle price of collateral on Loopscale to borrow 5.8 million dollars, draining funds from the lending pool. RateX’s protocol itself has no security issues, and no RateX users suffered losses in this incident.”

RateX also confirmed it is assisting Loopscale in tracking the hacker and recovering funds.

As soon as Loopscale detected the exploit, it halted all market functions to prevent further damage — disabling new loops, deposits and withdrawals across the platform while working to triage the situation.

In the immediate aftermath, Loopscale’s handling of the crisis drew frank praise. The team issued a clear initial disclosure, re-enabled critical functions like loan repayments and loop closing by the following day (big for protecting borrowers from unforeseen liquidations), and began coordinating with law enforcement and security professionals.

Then, on April 28, Loopscale announced it had successfully established contact with the attacker. The exploiter had responded to an onchain message proposing a white hat resolution, agreeing (tentatively) to return a portion of the stolen funds in exchange for a bounty.

While Loopscale initially offered a 10% reward, the exploiter countered with a 20% ask, citing frozen assets on crosschain bridges and offering to immediately return part of the stolen funds to prove good faith.

At the time of publication, negotiations remain ongoing. However, the initial signals are positive. A partial return appears to have already occurred, and Loopscale is preparing a detailed post-mortem and structured plan for resuming vault withdrawals. The team has also promised users a clear roadmap for what recovery will look like.

Updated on April 29, 2025 at 2:24 pm ET: Modified to reflect there were no early RateX contributors on the Loopscale team.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

recent research

Research Report Templates.png

Research

Maple Finance has successfully navigated significant market challenges through its strategic pivot to secured lending (Maple v2) and the launch of its Syrup product. Syrup has become a primary growth driver, delivering sustainable, outperforming stablecoin yields and rapidly increasing TVL. The upcoming custody-first Bitcoin staking product (istBTC) presents another significant avenue for expansion. Crucially, Maple has achieved operational profitability, a key inflection point that, combined with a fully vested token and active buyback mechanism, strengthens its investment case. While valuation metrics suggest potential undervaluation relative to peers and growth, the primary forward-looking risk identified is the long-term sustainability of its current high-take-rate collateral staking revenue model.

article-image

In 2014, Microsoft virus scanners were detecting viruses in Bitcoin software

article-image

Ledn’s Mauricio Di Bartolomeo explained how this cycle’s been different for the lender

article-image

The shorts looking for funding range from charming animated series to gritty live-action dramas

article-image

Money, it turns out, is emergent, like consciousness

article-image

Bridge flows churn in both directions as risk appetite returns

article-image

Even with an uncertain outlook thanks to tariffs, Big Tech executives are still ramping up their AI investments