Extropy Security Bytes: w17 2025
This week’s security incidents highlight the persistent risks facing DeFi protocols across multiple blockchains. Exploits targeting Impermax Finance on Base and Loopscale on Solana reveal vulnerabilities related to collateral valuation and oracle manipulation, respectively. Let’s dive in.
Impermax Finance V3 Pool Exploit
, Impermax Finance experienced a security exploit targeting its V3 pools, resulting in a loss exceeding $150,000. The attack leveraged a discrepancy in the protocol’s valuation of uncollected versus auto-compounded trading fees used as collateral.
The attacker executed a sophisticated sequence of actions involving a flash loan (potentially), creating an imbalanced collateral position on a low-liquidity Uniswap V3 pool, manipulating the price tick, accumulating uncollected fees through numerous swaps, and then borrowing against these inflated fees. By subsequently auto-compounding the fees at the manipulated tick and then restoring the price, the attacker created an undercollateralized position. Finally, the attacker used the restructureBadDebt function to close the position, diluting lenders and extracting value. This process was potentially repeated to further drain liquidity.
The root cause of the exploit was the inconsistent valuation of uncollected fees compared to auto-compounded fees, which are subject to safetyMargin adjustments. This allowed the attacker to inflate their collateral’s perceived value.
The exploit transaction can be reviewed on Basescan:
Loopscale: $5.8M Exploit via Oracle Manipulation on Solana
, Loopscale, a DeFi lending protocol operating on the Solana blockchain, suffered a significant exploit leading to approximately $5.8 million in losses (specifically 5.7 million USDC and 1,200 SOL), representing about 12% of its total value locked (TVL). The attack targeted undercollateralized loans by manipulating the pricing functions (oracle manipulation) of Loopscale’s RateX PT token. This allowed the attacker to drain funds from both the USDC and SOL vaults.
Recommended by LinkedIn
Loopscale swiftly responded by halting all lending and withdrawal operations, impacting users with open loop positions in the affected vaults. While the underlying collateralization mechanism was reportedly not compromised, depositors in the affected vaults faced temporary inability to access their funds.
In a notable turn of events, Loopscale publicly offered the hackers a 10% bounty for the return of 90% of the stolen assets, guaranteeing no legal repercussions if the funds were returned by the morning of April 28th EST. The hackers accepted this proposal and Loopscale acknowledged their friendly resolution.
The exploits against Impermax Finance and Loopscale emphasise recurring attack vectors in DeFi: collateral valuation models and oracle integrations. Although prevention is always key, Loopscale’s recovery of a majority of stolen funds through negotiation demonstrates that an effective post-exploit strategy is a strong positive for the community. As DeFi ecosystems grow increasingly complex and interconnected, best security practices become more paramount.
About Extropy
Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.
We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.
- Website:
- Email: info@extropy.io
Get in touch today — let’s build safer smart contracts together!