Full Report
Loopscale is a modular lending protocol deployed on Solana. It recently suffered a 5.7M hack, which affected many of the platform's users. So, what was the bug? In Solana, all programs and accounts that are interacted with must be specified beforehand. The program's usage can drastically change if these addresses are not properly checked. In this situation, a cross-program invocation was being made to the RateX vault. However, the RateX vault's usage was not correctly verified on the call. I'm not sure what value was supposed to be returned from the RateX contracts, but it was something important for tracking assets. From reading tweets, it appears that the prices were being manipulated. Of course, if you can specify the incorrect price, you can perform trades at terrible price points to steal money. Otherwise, the program had a good design. The exploit was limited to RateX principal tokens, which meant that no other vaults or lending positions were affected. Market isolation and collateral segregation really helped reduce the impact. In the future, they are adding time-based limits, exposure limits, and loan approval on giant loans, further giving protocol control. Finally, several updates will be gated by a multisig. Going forward, they will expand their audit coverage. Small changes can have devastating consequences, so to combat this issue, they plan on having all code reviewed before launching. They also plan on launching a bug bounty program. Overall, an interesting report and set of takeaways from a real world hack.
Analysis Summary
# Incident Report: Loopscale Pricing Logic Exploitation
## Executive Summary
On April 26, 2025, Loopscale, a Solana-based modular lending protocol, was exploited for approximately $5.8 million due to a vulnerability in its collateral pricing logic for RateX principal tokens. The attacker used a malicious program to spoof the RateX vault price, enabling the extraction of USDC and SOL through undercollateralized loans. All funds were subsequently recovered following negotiations with the threat actor.
## Incident Details
- **Discovery Date:** April 26, 2025
- **Incident Date:** April 26, 2025
- **Affected Organization:** Loopscale
- **Sector:** Decentralized Finance (DeFi) / Blockchain
- **Geography:** Global / Distributed (Solana Ecosystem)
## Timeline of Events
### Initial Access
- **Date/Time:** April 26, 2025, 12:51 PM UTC
- **Vector:** External Funding/Smart Contract Interaction
- **Details:** The attacker funded a wallet via ChangeNow (swapping Monero for SOL). Between 1:16 PM and 1:34 PM UTC, the attacker acquired legitimate PTUSDe and PTkySOL tokens via RateX to prepare for the exploit.
### Lateral Movement
- **Details:** Not traditionally applicable; the attacker moved within the protocol's logic by deploying a malicious spoofing program that mimicked the `get_pt_price` instruction interface of the RateX market.
### Data Exfiltration/Impact
- **Details:** The attacker took out a series of undercollateralized loans. The unauthorized outflow totaled 5,726,724.97 USDC and 1,211.4 SOL from the protocol's Genesis Vaults.
### Detection & Response
- **Discovery:** Rapidly detected on-chain following the liquidity drain.
- **Response Actions:** Loopscale engaged multiple security firms (Asymmetric Research, Sec3, SEAL 911, Peckshield, OtterSec, and Almanax) to isolate the bug, negotiate with the attacker, and recover the stolen assets.
## Attack Methodology
- **Initial Access:** Manipulation of protocol logic via a new, unaudited integration path.
- **Persistence:** N/A (One-time exploit transactions).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of a malicious program to spoof a trusted interface (`RateX PT market`) that lacked validation.
- **Credential Access:** N/A.
- **Discovery:** Attacker identified that non-Loop borrows collateralized by RateX tokens lacked account validation checks.
- **Lateral Movement:** N/A.
- **Collection:** Automated extraction of USDC and SOL via undercollateralized debt positions.
- **Exfiltration:** Transfer of funds to attacker-controlled wallets.
- **Impact:** Financial drain of the USDC and SOL Genesis Vaults via price manipulation.
## Impact Assessment
- **Financial:** Initial loss of ~$5.7M USDC and ~1,211 SOL (Recovered).
- **Data Breach:** None (Public blockchain transaction data only).
- **Operational:** Protocol functionality was temporarily suspended; Genesis Vaults were impacted.
- **Reputational:** High; incident highlighted a failure in the internal code review and deployment process for new integrations.
## Indicators of Compromise
- **Wallet Address:** 84dzVMA58eStQZSMLBn4pmhmeTZ13ub8HfF1BYxXdA4V
- **Transaction Hash (Funding):** hxxps://solscan[.]io/tx/5gUkHPyAoKu7i2TmrWaQT4RxjV3wvY4XnH3VuyUzGZQJMZGsDb4KrZSQJez6sqWspNB8xiCsmvrDkFDCj6oDMkEb
- **Behavioral:** Deployment of a program spoofing the `get_pt_price` instruction to return inflated values.
## Response Actions
- **Containment:** Identified the specific vulnerable code path (RateX PT pricing) and paused affected interactions.
- **Eradication:** Introduced a temporary requirement for all instruction calls to be programmatically co-signed by Loopscale's backend.
- **Recovery:** Successfully negotiated the return of 100% of the funds; currently implementing a staged rollout of protocol functionality.
## Lessons Learned
- **Audit Gaps:** The exploited code was deployed as part of a new integration and had not undergone a third-party audit.
- **Validation Failures:** While Loopscale validated other providers (Exponent), it failed to apply consistent validation logic to the RateX integration.
- **Isolation Success:** Market isolation and collateral segregation prevented the exploit from spreading to other vaults or lending positions.
## Recommendations
- **Mandatory External Review:** Implement a strict policy where no program code is deployed to mainnet without a third-party audit.
- **Strict Account Validation:** Ensure all Cross-Program Invocations (CPI) include rigorous checks to verify the identity of the program being called.
- **Enhanced Guardrails:** Implement time-based limits, exposure limits, and multisig requirements for protocol updates.
- **Bug Bounty:** Launch a formal bug bounty program to incentivize ethical disclosure of vulnerabilities.