The Colombia-born lending protocol on Rootstock told users on April 27 they have three months to withdraw before the web interface goes dark, blaming a 2021 architecture that cannot be fixed without redeploying.
Tropykus has shut down its Bitcoin lending protocol on Rootstock and given users until July 27 to clear their positions through the web app. The Colombia-born team announced the wind-down on April 27, immediately suspending new deposits and loans. After July 27 the front end disappears; technical support for the underlying smart contracts ends on September 1, after which any remaining funds will only be reachable by users who can call the contracts directly.
The trigger was not a hack. It was a security report from Money on Chain — the protocol's strategic ally on Rootstock — which flagged vulnerabilities in the smart-contract system that Tropykus could not fix in place. The team described its 2021 architecture as inefficient against modern risks, and conceded that the "mostly immutable" nature of the code made remediation impossible without migrating to entirely new infrastructure. No funds have been lost; the engineers simply cannot guarantee they will not be.
That is the awkward part of the story. Immutability used to be the point — the feature DeFi teams advertised on landing pages as proof that nobody, not even the founders, could rug their users. Five years on, with audit standards now expecting reentrancy checks, oracle hardening and price-bound circuit breakers that did not exist when most of these contracts shipped, immutability is starting to look like an architectural liability. You cannot upgrade what you wrote in 2021 to defend against what attackers worked out in 2025; you can only abandon it.
Tropykus was one of the larger Bitcoin-native lending venues in a market that never had many. Rootstock's BTC-collateralised credit niche has always been small relative to Ethereum DeFi, and the closure removes one of the more visible front ends for users who wanted to borrow dollars against rBTC without bridging to another chain. Aave's governance community has been openly weighing a Bitcoin Layer 2 expansion for over a year, but that work is still notional; Tropykus was operational. Its replacement is not.
The withdrawal process is also messier than the press release implies. Users with open loans need to redeem collateral progressively — drawing down a fraction, swapping it to dollars to pay back the debt, then repeating until the position closes. Anyone who tries to exit a leveraged position in a single transaction will struggle with available liquidity in the protocol's pools as deposits drain. The team has published instructions, but a non-trivial share of users will still need to interact directly with the contracts after July 27, which in practice means many of them will end up paying a third party to do it for them.
There is a knock-on cost beyond individual borrowers. Escalando Bitcoin, an educational project that had parked liquidity inside Tropykus, now faces a countdown on operational funds. That is the part of the announcement that did not get a press cycle and probably should have — DeFi protocols are not just consumer products — they are infrastructure that other smaller projects sit on top of. When the infrastructure goes, the projects that depended on it do not always have a graceful exit.
There is also a wider read across to the rest of the sector. The catalogue of DeFi exploits this April alone has run past $600 million, most of it from older codebases, oracle misconfigurations and bridge logic flaws. Money on Chain's audit found problems in Tropykus before anyone exploited them — that is the rare good outcome. But it is also a tacit admission that the audit standard four years ago was not what it is today, and that the dozens of other protocols still running on five-year-old immutable contracts are sitting on the same problem.
Tropykus' closure is not a failure of business model — the lending product worked, users were active, and the team is shutting down voluntarily to prevent a future loss rather than reacting to one. What it is, instead, is a reminder that the version of DeFi that promised "set and forget" smart contracts has aged badly. The protocols that survive the next cycle will be the ones that built upgrade paths in from day one — even at the cost of admitting that someone, somewhere, has the keys.
Users have until July 27 to withdraw through the front end, and until September 1 before technical support stops entirely. After that, the contracts will keep running on Rootstock, with no team to maintain them and no interface to interact with them.
