Loopscale, Term Finance Suffer Exploits, Losing Over $7M

The DeFi space has unfortunately seen another massive blow this weekend, after hackers exploited not one, but two protocols. Term Finance and Loopscale were both attacked between Friday and Saturday, resulting in more than $7 million in losses combined.

Among the two, Loopscale suffered the worst of it and lost approximately $5.8 million just two weeks after its official launch. Here’s what really happened and how Loopscale is responding.

How the Loopscale Hack Unfolded

On April 26, Loopscale, a rising Solana-based lending protocol, fell victim to a major security breach. An attacker exploited a flaw in Loopscale’s collateral pricing, siphoning off 5.7M USDC and 1,200 SOL. According to co-founder Mary Gooneratne, the flaw enabled the attacker to take out a series of undercollateralized loans, ultimately resulting in the significant loss.

They did this by attacking an isolated issue with how the platform priced collateral based on RateX feeds. More importantly, Loopscale clarified that RateX itself, which was a third-party pricing mechanism, wasn’t compromised. The fault happened entirely on their end, and stemmed from how they integrated and processed the data.

The exploit struck Loopscale’s main USDC and SOL lending vaults, impacting about 12% of the protocol’s Total Value Locked. Loopscale’s total value locked stood near $40M during the attack.

Immediate Actions Taken by Loopscale

Shortly after the exploit, Loopscale swiftly paused all lending markets to limit further losses and evaluate the breach. By the evening of April 26, the team had restored key features, including loan repayments, collateral top-ups, and loop closures.

However, withdrawals from vaults and other aspects of the app remain disabled for now. Loopscale’s team moved quickly to investigate the breach and is encouraging the safe return of the stolen funds by offering a 10% bounty to the attacker under a whitehat agreement.

The hacker is offered 10% of the stolen assets — about 3,947 SOL — as a reward if they return the remaining 90% by April 28.

Loopscale’s Lending Model

Loopscale entered the DeFi space publicly on 10 April, after a six-month closed beta. The protocol aimed to improve capital efficiency within the defi space, by directly matching lenders and borrowers instead of pooling liquidit (compared to platforms like Aave). The protocol specializes in niche markets like structured credit, receivables financing and undercollateralized lending, all of which are typically underserved in traditional DeFi.

Loopscale’s order-book model allows lenders, as well as borrowers, to negotiate terms with one another, more directly. This offers either party higher yields and even customizable lending arrangements. At the time of the hack, Loopscale’s main USDC and SOL vaults were offering APRs of more than 5% and 10%, respectively.

The platform also supported looping strategies for around 40 different token pairs like JitoSOL and BONK. This model helped the platform to attract over 7,000 lenders in just two weeks, until the exploit derailed its efforts. According to PeckShield in a recent report, hackers stole more than $1.6 billion in the first quarter of this year alone, with $1.5 billion of this coming from ByBit. As of now, Loopscale is still working on stabilizing its platform and as it works to rebuild, the entire DeFi community will be watching.