Hacker Loopscale Offers to Return $5.8 Million for a Reward

On April 26, the DeFi protocol Loopscale, based on Solana, lost approximately $5.7 million USDC and 1200 SOL due to an attack that occurred two weeks after its launch.

Update: Loopscale has re-enabled loan repayments, top-ups, and loop closing. All other app functions (including Vault withdrawals) are still temporarily restricted while we investigate and ensure mitigation of this exploit.

The root cause of the exploit has been identified as an… https://t.co/Pk2pMx8UcK

— Loopscale (@LoopscaleLabs) April 26, 2025

The attackers exploited a vulnerability in one of the platform’s markets, according to a statement from the team. Loopscale has contacted law enforcement to track down the criminals and recover the funds.

All protocol functions were temporarily restricted during the investigation. The company noted that the issue was related to the revaluation of collateral based on RateX.

Later, the protocol restored loan repayments.

Loopscale, formerly known as Bridgesplit, offers a lending platform based on an order book, unlike pool-based protocols such as Aave or Solend.

The company was audited by OShield, which identified several critical vulnerabilities that have already been fixed, as stated in the FAQ. Another review by Sec3 is reportedly underway.

The protocol offered a reward of 3947 SOL (~$594,000) for assistance in recovering the funds. On April 28, the hackers agreed to the deal.

At 3:52PM ET today, we received a response from the exploiter. They have indicated a willingness to return the exploited funds in exchange for a bounty.

We appreciate their engagement so far and we are actively working to reach an amicable resolution.

As such, we will be… https://t.co/znCZxtoi1z

— Loopscale (@LoopscaleLabs) April 28, 2025

“We appreciate their engagement and are actively working to reach an amicable resolution. As such, we will share a plan for resuming withdrawals and a full analysis of the situation in the coming days,” stated Loopscale.

Earlier, on April 23, the perpetrator who stole ZK tokens worth approximately $5 million from the ZKsync airdrop smart contract returned the funds within the deadline set by the project team.