Loopscale, a Solana-based DeFi protocol, was the victim of a $5.8 million hack in April 2025. The attacker exploited an issue with how the protocol priced RateX PT tokens to drain value from the protocol.
Inside the Attack
The Loopscale hack took advantage of a price oracle issue within the project’s smart contracts. The protocol incorrectly assessed the value of RateX PT tokens, creating an opportunity for an attacker to drain value from the project by exploiting the mismatch between the perceived and actual price of the tokens.
The attacker did so by taking out undercollateralized loans, allowing them to withdraw more from the protocol than they put up as collateral. As a result, they were able to drain approximately 5.7 million USDC and 1200 SOL from the project’s USDC and SOL Genesis Vaults, worth an estimated $5.8 million. In total, this represented about 12% of the value deposited within the protocol, which was only launched a couple of weeks earlier.
After detecting the exploit, the project temporarily halted lending markets and withdrawals as it investigated and addressed the underlying issue. Additionally, the team sent on-chain messages to the exploiter offering a 10% bug bounty in exchange for immunity from prosecution. The attacker later accepted the offer and returned the stolen funds to the protocol, resulting in no losses to Loopscale users.
Lessons Learned from the Attack
The Loopscale hack differs from many of the major DeFi hacks of early 2025 in that it exploits smart contract flaws rather than off-chain vulnerabilities like compromised private keys. In this case, the attacker identified an error in the protocol’s business logic and exploited the resulting arbitrage opportunity.
This incident was also notable for being an example of a successful negotiation with an attacker for a white hat bounty payment. While many protocols offer these deals in the wake of a hack — with offers ranging from 10-20% of the total amount stolen — many of these offers are unsuccessful. One potential reason for this is that many of the biggest DeFi hacks are performed by professional cybercrime groups, like the Lazarus Group, that are unconcerned about potential legal action.
This incident, which exploited a logical error in the protocol’s smart contracts, underscores the importance of comprehensive business logic validation as part of a smart contract security audit. For help with ensuring that your project’s smart contracts operate correctly and securely, reach out to Halborn.