How a Price Manipulation Attack Cost Loopscale $5.8 Million?
Loopscale is a lending and borrowing protocol on the Solana blockchain, which went mainnet on April 10, 2025, and recently lost $5.8M to a Price Manipulation Attack.
On April 26, 2025, at 15:28 UTC, the initial attack occurred, followed by subsequent attacks to drain the protocol lending vault. The loss comprised around 12% of the protocol’s TVL. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
Loopscale is an orderbook-based lending protocol that also offers leveraged lending positions to users called “Loop”. Loopscale supports a wide range of assets, including staked tokens, LP positions, and more.
The root cause of the attack was tied to the protocol’s pricing mechanism. Initially, the attacker deployed the program (BdADVdaAdDbFo85EP2ynEanQQMDDJgPyTZmAKtaHKRbK) to manipulate how Loopscale vault system prices the Rate X PT tokens.
Using the mispriced tokens, the attacker then borrowed a series of loans that were backed by poor collateral (undercollateralized loans). Though it is important to note that the issue was with how Loopscale priced the RateX PT tokens and not the RateX itself.
Fund Flow Post Attack
Attacker Wallets
4QsqugQcrCuSVzU9WjeLDoR6HaaSZtMEZr5JCyxwHgCV (Loopscale Exploiter 1)
C1QyPYoWQiueqhtLeaG5Nhkv1LJ8oweBNCbfGJ3LprYT (Loopscale Exploiter 2)
0xc9d30E520Af584d0867FfC71DE162f1C09987Fe8 (EVM Wallet of Attacker)
Relevant Transactions/Signatures
3LcknBmavGUAMJvNMAc5xwsLqFaKs3vfguWsoTNYzpBv76B4ChiagitSHogpdMwWZpuKDV3a62uT4wXn2SvLZvGP
55dmSjy4Whjfqbfp8LwRduzTwz1fDeLu6aj8STqDXeiezZneNJwr2XiX3Qy7yWb2G2DL3d991ACD6sejNkQ7eH5Q
Initially, the USDC stolen was swapped with SOL and transferred to another wallet of the hacker.
Once the funds were swapped in SOL, the funds were bridged through Wormhole which were frozen later.
Curious about how projects can recover from such devastating attacks?
Don’t miss the full breakdown, including recovery insights and expert recommendations.
DeFi protocols are getting fairly complex. In the case of Loopscale, they have implemented leveraged lending products for the users to amp up the yields. With the increasing complexity, it is important to keep the security ahead and get robust audits done.
At QuillAudits, we make sure your smart contracts are fit to hit the mainnet with our 7 years of expertise & 1400+ audits. We also provide the auditing service for Solana-based Smart Contracts.
