Texture Finance Vault Rebalance Missing Ownership Check Theft
Notice: This page is a freshly imported case study from the original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. Please help restructure the content by moving information from the 'General Prevention' sections to other prevention sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Texture 2.0, a modular lending platform on Solana, suffered a $2.2 million exploit due to a missing ownership check in its Vault contract’s rebalance function. The attacker redirected LP tokens to their own account and redeemed them for USDC from SuperLendy. In response, the team swiftly activated "safe mode," halted withdrawals, and began a full investigation, leading to a patched contract and plans for a new audit. The exploiter returned 90% of the funds after being offered a bounty, but affected users still await a finalized withdrawal plan as Texture Finance works to restore operations and strengthen internal security protocols.[1][2][3][4][5][6]
About Texture Finance
Texture 2.0 is a next-generation modular lending platform built on Solana, aimed at democratizing access to capital and yield for digital asset holders and asset managers. Its core mission is to deliver a secure, transparent, and scalable decentralized lending infrastructure that promotes equal financial opportunity. With features like P2P loans and a user-friendly launch app, Texture 2.0 invites users to participate in a streamlined and inclusive lending ecosystem.
The platform focuses on unlocking leverage and liquidity across a wide range of asset types while reducing the risk of cascading liquidations and market fragmentation. Key borrower features include higher loan-to-value (LTV) ratios, soft liquidations to minimize penalties, and one-click leveraged strategies with automated management. Developers can also benefit from robust APIs for integration, enabling broader adoption and aggregation across DeFi platforms.
Texture 2.0 empowers users through smart vaults—single-asset investment pools managed by professional asset curators to optimize capital allocation and generate passive income. Asset managers can build and manage custom vaults, rebalance portfolios, and dynamically respond to market changes, all while earning performance fees. The platform is backed by industry-grade security, with recent audits from top firms like Certora and Kudelski, ensuring user funds are safeguarded by rigorous standards.
The Reality
Unfortunately, the smart contract was missing a critical permission check, and this was missed during the internal review and subsequent audit prior to the protocol launching.
What Happened
Texture 2.0 was exploited for $2.2 million due to a missing ownership check in its Vault contract, allowing an attacker to redirect LP tokens and drain funds.
| Date | Event | Description |
|---|---|---|
| July 9th, 2025 2:49:20 AM MDT | Original Attack Transaction 1 | The first of the attack transactions on the Solana blockchain. |
| July 9th, 2025 6:32:33 AM MDT | Original Attack Transaction 2 | The second and final attack transactions on the Solana blockchain. |
| July 9th, 2025 9:40:00 AM MDT | Texture Finance Posting Tweet | Texture Finance shares a tweet. The loss total of 2.2M is announced. |
| July 9th, 2025 12:45:00 PM MDT | Texture Finance Offers Bounty | Texture Finance issues a public message directed at the attacker. They are offering a 10% whitehat bounty of the stolen funds, which the exploiter can keep if they return the remaining 90%. The team warns the attacker that an operational security (opsec) mistake has been made, but there is still time to resolve the situation without further consequences. The deadline for this offer is 11 July at 18:00 UTC. If the exploiter does not respond by then—or attempts to move the stolen assets—Texture Finance will treat them as a malicious blackhat actor. In that case, they intend to forward all collected identifying information to law enforcement agencies in the exploiter’s country. |
Technical Details
Each Vault in Texture’s system acts as a liquidity allocator across multiple SuperLendy pools by withdrawing and depositing USDC, in exchange for LP tokens. These tokens are supposed to be stored securely in Vault-owned SPL Token accounts. However, the contract failed to check ownership of the destination token account during rebalancing. The only validation was that the account’s token mint matched the expected LP token.
The attacker exploited this by providing their own SPL Token account—one they fully controlled—during a rebalance. Since the contract didn’t confirm ownership, it sent LP tokens to the attacker’s account. Once in possession of these LP tokens, the attacker simply redeemed them for underlying USDC liquidity directly from SuperLendy, successfully draining approximately $2.2 million from the USDC Vault.
Total Amount Lost
Losses are widely reported as $2.2m.
The total amount lost has been estimated at $2,200,000 USD.
Immediate Reactions
Texture Finance’s reaction to the exploit was swift and methodical. Upon detecting the attack, the team immediately activated "safe mode" for all SuperLendy reserves, halting any outflows of liquidity to contain further damage. They promptly informed their partners, security advisors, and auditors, and set up a dedicated war room to coordinate their response in real time.
To protect users, Texture Finance temporarily removed the "Earn" page from their website, preventing any new deposits into the affected Vaults. Simultaneously, a thorough technical investigation was launched, leading to the development of a fix for the vulnerable Vault contract.
Ultimate Outcome
The patched contract underwent an independent review by their auditing partner, Certora, and the team successfully reproduced the exploit to verify that the vulnerability had been eliminated. These steps reflect a proactive and transparent approach aimed at restoring platform security and user trust.
The team plans to deploy the fixed Vault contract and restore all SuperLendy reserves to normal operation, which will re-enable both withdrawals and borrowing for users. To ensure the updated contract is secure and functioning correctly, they will conduct a new audit.
Additionally, Texture Finance is implementing stronger internal security measures for smart contract development. This includes more rigorous code reviews and the introduction of automated tests focused specifically on identifying and preventing security vulnerabilities.
A bounty of $220,000 USD was paid for the discovery.
Total Amount Recovered
The hacker returned $1.98m, retaining $220k as a bounty for their cooperation.
The total amount recovered has been estimated at $1,980,000 USD.
Ongoing Developments
Several aspects of the Texture Finance exploit situation remain ongoing, with the team still working to restore normal operations and address the aftermath. While the attacker returned 90% of the stolen funds after being offered a whitehat bounty, affected users—specifically USDC Vault depositors—have not yet regained access to their funds. The team has stated that a step-by-step plan for reopening withdrawals is being finalized, but this plan has not yet been released or implemented.
In addition to handling user withdrawals, Texture Finance is preparing to deploy a patched version of the exploited Vault contract. Before reactivating core protocol functions like borrowing and withdrawals, this updated contract must undergo a fresh security audit to ensure its correctness and resilience. Until then, all SuperLendy reserves remain in "safe mode," meaning liquidity remains locked within the protocol to prevent further risk.
The team is also in the process of overhauling their internal security practices. This includes implementing stricter smart contract development workflows, more rigorous peer reviews, and automated testing procedures that specifically target known vulnerability classes. These enhancements are not yet completed but are part of a broader initiative to prevent similar oversights in the future.
General Prevention Policies
This vulnerability was caused by a basic but critical oversight—failing to enforce that only the Vault could receive LP tokens. It underscores a common security pitfall in smart contract development: overlooking simple ownership checks in favor of focusing on complex vulnerabilities. The attacker did not exploit some obscure logic flaw, but rather took advantage of a missing guard on a core operation, something that could have been caught with standard security reviews or automated testing frameworks.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Texture Finance - "We have discovered a security breach of the Texture Vaults contract, user funds in the amount of USDC 2.2m have been compromised, the breach seems to be limited to the USDC vault." - Twitter/X (Accessed Jul 18, 2025)
- ↑ Texture Finance - "We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%. You made an opsec mistake, but it’s not too late to avoid escalating the situation." - Twitter/X (Accessed Jul 18, 2025)
- ↑ Second Attack Transaction - Solscan (Accessed Jul 18, 2025)
- ↑ First Attack Transaction - Solscan (Accessed Jul 18, 2025)
- ↑ Texture Finance Incident Postmortem - Twitter/X (Accessed Jul 18, 2025)
- ↑ Texture Finance Homepage Archive June 1st, 2025 1:48:18 PM MDT (Accessed Jul 18, 2025)