QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$2 200 000 USD
JULY 2025
GLOBAL
TEXTURE FINANCE
DESCRIPTION OF EVENTS
Texture 2.0 is a next-generation modular lending platform built on Solana, aimed at democratizing access to capital and yield for digital asset holders and asset managers. Its core mission is to deliver a secure, transparent, and scalable decentralized lending infrastructure that promotes equal financial opportunity. With features like P2P loans and a user-friendly launch app, Texture 2.0 invites users to participate in a streamlined and inclusive lending ecosystem.
The platform focuses on unlocking leverage and liquidity across a wide range of asset types while reducing the risk of cascading liquidations and market fragmentation. Key borrower features include higher loan-to-value (LTV) ratios, soft liquidations to minimize penalties, and one-click leveraged strategies with automated management. Developers can also benefit from robust APIs for integration, enabling broader adoption and aggregation across DeFi platforms.
Texture 2.0 empowers users through smart vaults—single-asset investment pools managed by professional asset curators to optimize capital allocation and generate passive income. Asset managers can build and manage custom vaults, rebalance portfolios, and dynamically respond to market changes, all while earning performance fees. The platform is backed by industry-grade security, with recent audits from top firms like Certora and Kudelski, ensuring user funds are safeguarded by rigorous standards.
Unfortunately, the smart contract was missing a critical permission check, and this was missed during the internal review and subsequent audit prior to the protocol launching.
Each Vault in Texture’s system acts as a liquidity allocator across multiple SuperLendy pools by withdrawing and depositing USDC, in exchange for LP tokens. These tokens are supposed to be stored securely in Vault-owned SPL Token accounts. However, the contract failed to check ownership of the destination token account during rebalancing. The only validation was that the account’s token mint matched the expected LP token.
The attacker exploited this by providing their own SPL Token account—one they fully controlled—during a rebalance. Since the contract didn’t confirm ownership, it sent LP tokens to the attacker’s account. Once in possession of these LP tokens, the attacker simply redeemed them for underlying USDC liquidity directly from SuperLendy, successfully draining approximately $2.2 million from the USDC Vault.
Losses are widely reported as $2.2m.
Texture Finance’s reaction to the exploit was swift and methodical. Upon detecting the attack, the team immediately activated "safe mode" for all SuperLendy reserves, halting any outflows of liquidity to contain further damage. They promptly informed their partners, security advisors, and auditors, and set up a dedicated war room to coordinate their response in real time.
To protect users, Texture Finance temporarily removed the "Earn" page from their website, preventing any new deposits into the affected Vaults. Simultaneously, a thorough technical investigation was launched, leading to the development of a fix for the vulnerable Vault contract.
The patched contract underwent an independent review by their auditing partner, Certora, and the team successfully reproduced the exploit to verify that the vulnerability had been eliminated. These steps reflect a proactive and transparent approach aimed at restoring platform security and user trust.
The team plans to deploy the fixed Vault contract and restore all SuperLendy reserves to normal operation, which will re-enable both withdrawals and borrowing for users. To ensure the updated contract is secure and functioning correctly, they will conduct a new audit.
Additionally, Texture Finance is implementing stronger internal security measures for smart contract development. This includes more rigorous code reviews and the introduction of automated tests focused specifically on identifying and preventing security vulnerabilities.
The hacker returned $1.98m, retaining $220k as a bounty for their cooperation.
Several aspects of the Texture Finance exploit situation remain ongoing, with the team still working to restore normal operations and address the aftermath. While the attacker returned 90% of the stolen funds after being offered a whitehat bounty, affected users—specifically USDC Vault depositors—have not yet regained access to their funds. The team has stated that a step-by-step plan for reopening withdrawals is being finalized, but this plan has not yet been released or implemented.
In addition to handling user withdrawals, Texture Finance is preparing to deploy a patched version of the exploited Vault contract. Before reactivating core protocol functions like borrowing and withdrawals, this updated contract must undergo a fresh security audit to ensure its correctness and resilience. Until then, all SuperLendy reserves remain in "safe mode," meaning liquidity remains locked within the protocol to prevent further risk.
The team is also in the process of overhauling their internal security practices. This includes implementing stricter smart contract development workflows, more rigorous peer reviews, and automated testing procedures that specifically target known vulnerability classes. These enhancements are not yet completed but are part of a broader initiative to prevent similar oversights in the future.
Texture 2.0, a modular lending platform on Solana, suffered a $2.2 million exploit due to a missing ownership check in its Vault contract’s rebalance function. The attacker redirected LP tokens to their own account and redeemed them for USDC from SuperLendy. In response, the team swiftly activated "safe mode," halted withdrawals, and began a full investigation, leading to a patched contract and plans for a new audit. The exploiter returned 90% of the funds after being offered a bounty, but affected users still await a finalized withdrawal plan as Texture Finance works to restore operations and strengthen internal security protocols.
HOW COULD THIS HAVE BEEN PREVENTED?
This vulnerability was caused by a basic but critical oversight—failing to enforce that only the Vault could receive LP tokens. It underscores a common security pitfall in smart contract development: overlooking simple ownership checks in favor of focusing on complex vulnerabilities. The attacker did not exploit some obscure logic flaw, but rather took advantage of a missing guard on a core operation, something that could have been caught with standard security reviews or automated testing frameworks.
Texture Finance - "We have discovered a security breach of the Texture Vaults contract, user funds in the amount of USDC 2.2m have been compromised, the breach seems to be limited to the USDC vault." - Twitter/X (Jul 18)
Texture Finance - "We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%. You made an opsec mistake, but it’s not too late to avoid escalating the situation." - Twitter/X (Jul 18)
Second Attack Transaction - Solscan (Jul 18)
First Attack Transaction - Solscan (Jul 18)
Texture Finance Incident Postmortem - Twitter/X (Jul 18)
Texture Finance Homepage Archive June 1st, 2025 1:48:18 PM MDT (Jul 18)
