QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$5 893 000 USD
APRIL 2025
GLOBAL
LOOPSCALE
DESCRIPTION OF EVENTS
Loopscale is a modular, next-generation lending platform designed for the evolving landscape of on-chain assets. It allows users to borrow and lend virtually any type of digital asset — including LP tokens, staked assets, and memecoins — while maintaining efficient, low-risk, and transparent market conditions. Its primary focus is on creating flexible, secure lending environments with the best possible rates and reduced volatility.
"Loopscale is a modular, order book–based lending protocol on Solana. It enables overcollateralized borrowing and lending across a wide range of digital assets, including staked tokens, liquidity provider positions, and more specialized primitives.
By replacing pooled liquidity and algorithmic rates with direct order book matching, Loopscale improves capital efficiency, enables more precise risk management, and supports new types of markets that are difficult to achieve with traditional DeFi architectures."
Loopscale enhances portfolio utility by allowing users to use diverse assets as collateral. Borrowers benefit from features like lower interest rates, increased borrowing power, and protection from market rate fluctuations. On the lending side, users can define lending parameters, access fixed-rate leverage opportunities, and pursue higher yields via direct lending mechanisms. Additionally, professional strategy managers offer curated vaults through the platform to maximize returns with tailored risk profiles.
The platform boasted over $25 million borrowed and $36 million supplied as of May 8th, 2025.
Loopscale smart contracts contained a vulnerability where non-Loop borrows using RateX collateral were not properly validated, allowing a malicious program to spoof pricing data and inflate collateral value to bypass loan health checks.
The exploit originated from incomplete validation in Loopscale’s integration with the RateX program, specifically in how PT (principal token) prices were calculated. Introduced on March 27 during an upgrade to support RateX collateral markets, the vulnerability allowed an attacker to spoof a RateX market using a malicious program that returned inflated PT exchange rates. This bypassed Loopscale's health checks for non-Loop borrows, as validations applied to other PT tokens were not consistently enforced. The exploit was technical and targeted, exploiting a specific integration flaw rather than a weakness in Loopscale’s core economic model, order book, or vault mechanics—all of which remained intact and unaffected.
"The vulnerability was limited to loans backed by RateX principal tokens. No other vaults or advanced lending positions were affected. Existing safeguards, including market isolation, collateral segregation, and liquidity buffers, helped contain the impact."
"The exploit impacted the USDC and SOL Genesis Vaults, leading to temporary losses of 5,726,724.97 USDC across 3,126 depositors and 1,211.4 SOL across 2,047 depositors."
"Following the exploit, Loopscale engaged SEAL 911 to coordinate incident response. Over the next 12 hours, we shared exploit details with Wormhole Network contributors, notified centralized exchanges and swapping services to restrict off-ramping or swapping, and escalated the case with law enforcement."
"To close the vulnerability, the exploited check was updated to enforce strict validation of RateX program IDs during loan health checks. All related instructions were reviewed to ensure reliability and integrity of program inputs."
"All funds were fully recovered through coordinated efforts with ecosystem partners. Loopscale is reimbursing a $29,000 discrepancy caused by the attacker swapping USDC at less favorable rates than those at which the funds were later reacquired. No user deposits incurred any loss."
Loopscale is implementing a comprehensive set of technical and operational safeguards to enhance protocol security and prevent future exploits. Key measures include expanded audit coverage by Sec3, a forthcoming bug bounty program, and mandatory third-party audits for all new features. Operational monitoring is being formalized with weekly reviews of system activity, and stricter access controls now require multisig authorization for critical updates.
Rekt - Loopscale - Rekt (May 8)
Loopscale (May 8)
Loopscale Documentation - Loopscale Docs (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
@LoopscaleLabs Twitter (May 8)
Ethereum Transaction Hash (Txhash) Details - Etherscan (May 8)
Post-Mortem: PT Collateral Pricing Incident - Loopscale Blog (May 8)
https://solscan.io/tx/5gUkHPyAoKu7i2TmrWaQT4RxjV3wvY4XnH3VuyUzGZQJMZGsDb4KrZSQJez6sqWspNB8xiCsmvrDkFDCj6oDMkEb (May 8)
https://solscan.io/tx/4uG4fVWmxXuZXNxw2BLWfTFVFbU4aYoqJ6PTntcD2dvRG9wL8csJraZ1MXYK8HjLWp5Wc6k3bwSfgcK861KTigN7 (May 8)
Solana Price History and Historical Data | CoinMarketCap (Jun 2)
@LoopscaleLabs Twitter (May 8)
