Solana-Based Loopsale Lending Protocol Faces $5.8 Million Hack Merely 16 Days Post-Launch

Solana (SOL)-based DeFi lending platform Loopscale suffered a $5.8 million hack just 16 days into its operation, as per DeFi research platform Rekt. The April 26 breach exploited a single oracle price feed vulnerability, resulting in the loss of approximately 12% of the Genesis Vault's assets.

Despite undergoing an audit before launch, Rekt's analysis indicates that Loopscale failed to address critical price oracle verification issues. The attacker leveraged these flaws to execute undercollateralized loans, ultimately moving the assets to Ethereum via a bridge, facilitating the transfer.

Loopscale promptly paused operations and confirmed that the breach targeted oracle vulnerabilities within its SOL and USDC vaults. At the time of the hack, the vault contained assets worth $40 million.

Security Oversights Overshadow Marketing Efforts – A Predicted Exploit

Rekt described how the hacker reverse-engineered Loopscale’s binary code to replicate essential functions, deploying malicious price feeds in the attack. This rendered the protocol's security mechanisms ineffective.

Oracle manipulation is a common attack vector in DeFi hacks. Loopscale’s failure to detect and mitigate this risk has led to significant criticism. Rekt commented, "The audit highlighted these issues, yet Loopscale claimed they were resolved, only to fall prey to the same exploit."

Further criticism came from Sean Hu, who provided Loopscale’s RateX oracle service, stating that the problem originated from Loopscale’s flawed implementation, thereby distancing himself from responsibility.

Negotiations with Hacker Partially Recover Assets, Yet Reputation Takes a Hit

Rekt reported that Loopscale entered negotiations with the hacker, referring to it as a "white hat settlement." Initially, Loopscale offered to return 90% of the stolen funds in exchange for a 10% reward. However, the hacker insisted on a 20% reward and partially returned the assets, eventually sending back the rest in installments.

By April 29, all stolen funds were recovered. Loopscale announced, “All user funds have been fully recovered without any loss.” Nevertheless, Rekt highlighted that it remains unclear whether Loopscale met the hacker’s reward demands.

Loopscale's response has faced backlash from the community. A user criticized the protocol for launching with vault limits in the tens of millions without comprehensive audits.

Oracle Exploits: DeFi’s Persisting Vulnerability

Rekt identified oracle manipulation as one of the oldest and most common attack vectors in DeFi, stressing that protocols managing millions in assets without robust security measures are doomed to similar breaches.

The Loopscale hack stands as a stark reminder that external audits alone do not equate to effective security. The incident has severely compromised the protocol's credibility in safeguarding user assets.

"Loopscale’s ability to regain user trust hinges on their approach to rectifying these vulnerabilities moving forward," Rekt concluded.