Solana DeFi’s Loopscale Loses $5.8M in Major Breach

Loopscale, a Solana-based DeFi platform, reported a major security breach that impacted its USDC and SOL vaults, resulting in a loss of approximately $5.8 million, or about 12% of its total value.

This exploit occurred just two weeks after the platform’s official launch.

Mary Gooneratne, co-founder of Loopscale, confirmed that the attack was carried out by exploiting under-collateralised loans.

Investigations traced the vulnerability to a flaw within the platform’s RateX-based collateral pricing system, where attackers manipulated RateX PT token pricing functions.

This exploitation led to the theft of 1,200 SOL and $5.7 million in USDC.

Notably, Loopscale emphasized that the RateX protocol itself was not compromised.

Loopscale Limits Certain Functions Following Exploit

In response to the breach, Loopscale temporarily suspended all markets to assess the extent of the damage.

After a brief downtime, the protocol resumed certain functions, allowing loan repayments, collateral top-ups, and the closing of positions, while vault withdrawals remained restricted.

The breach primarily impacted Loopscale’s USDC and SOL vault depositors, though borrowers and loopers were not directly affected.

Loopscale has committed to providing transparency on the number of users impacted, outlining how vault holders can access their funds, and releasing a detailed technical post-mortem.

Earlier this year, OShield, which audited the protocol in January and February, flagged several vulnerabilities, although these were later addressed according to Loopscale’s FAQ.

An ongoing audit by Sec3 is currently assessing the protocol’s security.

Exploiter Willing to Return Stolen Funds for Bounty

In an effort to recover the stolen funds, Loopscale extended a 10% bounty offer to the attacker and proposed a whitehat agreement.

The platform requested the return of 90% of the stolen assets, warning that legal action will follow if the attacker fails to respond by 28 April.

Loopscale is collaborating with security firms and law enforcement agencies to address the breach.

Loopscale added:

“We agree to allow you to retain a bounty of 10% of the funds (3,947 SOL) and release you from any and all liability regarding the attack.”

As of the latest update, the attacker has shown a willingness to return the stolen funds in exchange for the offered bounty.

DeFi Sector Has Lost Almost $2B to Attacks in 2025

By Q1 2025, over $1.6 billion had been lost in DeFi attacks, with platforms like zkLend, Ionic Money, Cardex, Four.Meme, Cashverse, BankX, and GoldReserve NFT among those impacted.

February alone saw more than $1.53 billion drained in nine separate incidents, marking a 20% increase from January and an 18-fold surge from February 2024.

High-profile breaches, such as Bybit’s $1.46 billion hack in February, have shaken industry confidence.

This alarming trend highlights growing concerns over the security vulnerabilities of DeFi platforms in 2025.

Tim Haldorsson, founder of Lunar Strategy, raised the critical question of whether the potential returns from DeFi justify the escalating risks of exploitation.