DeFi Heist: Loopscale and Term Finance Lose $7M in Smart Contract Exploit
Another day, another ’trustless’ system proving anything but. Hackers drained $7 million from Loopscale and Term Finance this week—because apparently, code isn’t law when someone finds the loopholes.
The attack vector? Classic reentrancy bug, because 2016 called and wants its vulnerabilities back. Both protocols paused operations post-heist—too little, too late for liquidity providers now staring at empty wallets.
Meanwhile in TradFi land, bankers are ’accidentally’ transferring millions to wrong accounts and getting it refunded by courts. At least their theft comes with customer service.
Loopscale Loses $5.8 Million in Major Exploit
On April 26, Solana-based Loopscale reported a significant security breach impacting its USDC and SOL vaults.
The exploit drained around $5.8 million, representing roughly 12% of the platform’s total value. Notably, this attack came just two weeks after Loopscale’s official launch.
Loopscale’s co-founder, Mary Gooneratne, confirmed that an attacker exploited the system by securing under-collateralized loans.
Investigations revealed that the root cause stemmed from an isolated issue in the platform’s RateX-based collateral pricing system.
However, Loopscale clarified that RateX itself was not compromised.
“The root cause of the exploit has been identified as an isolated issue with Loopscale’s pricing of RateX-based collateral. There is no issue with RateX itself related to this. Loss of funds explicitly affects depositors to SOL and USDC Genesis vaults,” Loopscale stated.
Following the breach, Loopscale temporarily halted all markets to assess the damage.
The platform has since resumed partial operations, enabling key functions like loan repayments, top-ups, and loop closures, while vault withdrawals remain restricted.
To recover the stolen funds, Loopscale offered a 10% bounty to the attacker and proposed a whitehat agreement.
The platform requested the return of 90% of the stolen assets and warned of legal action if the attacker did not respond by April 28.
“We agree to allow you to retain a bounty of 10% of the funds (3,947 SOL) and release you from any and all liability regarding the attack,” Loopscale added.
Loopscale is currently working with security firms and law enforcement agencies to manage the situation.
Term Finance Suffers $1.5 Million Liquidation Loss
Meanwhile, Ethereum-based Term Finance, a pioneer in scalable fixed-rate lending, also reported a security incident on April 26.
Blockchain security firm TenArmorAlert identified two suspicious transactions linked to Term Labs, resulting in losses of about $1.5 million.
“It appears that something is wrong with the liquidation. Someone spent a very small amount of ETH to liquidate over 586 Treehouse collateral,” TenArmorAlert stated.
Term Finance later confirmed that a faulty update to its tETH oracle caused the problem. Fortunately, no smart contracts were exploited, and the issue was contained within the tETH markets.
The platform assured users that all other funds remain secure and has committed to a full reimbursement plan for those affected.
These attacks contribute to a worrying trend in 2025, with crypto projects losing close to $2 billion this year.
High-profile incidents like Bybit’s $1.46 billion hack in February have shaken confidence across the industry.
Tim Haldorsson, founder of Lunar Strategy, questioned whether DeFi returns justify the ongoing exploit risks.
He suggested that DeFi yields might lag behind traditional investments like bonds once adjusted for hack-related losses.
“How SAFE is actually all this defi? We are chasing yield, but hack-adjusted is it actually better than just holding bonds,” Haldorsson questioned.
