Scallop, a lending protocol on the Sui network, pledged to fully reimburse users after an exploit drained 150,000 SUI tokens worth approximately $142,000 from a deprecated rewards contract on April 26.
"Scallop will fully cover 100% of the loss," the money market said in a statement on X, adding that core operations resumed in under two hours.
The vulnerability was traced to a 17-month-old V2 spool package, published in November 2023, which contained an uninitialized last_index counter. By staking roughly 136,000 sSUI, the attacker was able to manipulate the contract to claim rewards as if the position had existed since August 2023, draining the entire rewards pool. Core lending and borrowing pools were not affected.
The exploit underscores a persistent vulnerability in the DeFi sector, where immutable, outdated smart contracts can become forgotten attack surfaces. This incident follows a similar $3.5 million exploit at Volo Protocol on Sui and contributes to a month where DeFi hacks have already surpassed $600 million, raising questions about the auditing and lifecycle management of blockchain code across the industry.
The attack, captured in transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL, did not compromise Scallop’s main lending infrastructure or user deposits. The team froze the affected contract at 12:50 UTC and had restored all services by 14:42 UTC.
Independent analysis revealed the bug centered on the deprecated contract treating the attacker's new stake as if it had been earning rewards for 20 months. This allowed the exploiter to claim a disproportionate amount of rewards, redeeming them for the 150,000 SUI held in the pool. The incident has drawn attention to the risks of leaving old, unused but still callable contracts active on-chain, a particular challenge for immutable blockchains like Sui.
The Scallop incident is the latest in a series of exploits on the Sui network, including the recent $3.5 million loss at Volo Protocol, which also involved a peripheral contract. April 2026 has been a brutal month for DeFi security, with total losses from hacks exceeding $606 million across 13 incidents. This puts April on track to be one of the worst months for DeFi security, recalling major incidents like the $292 million Kelp DAO depeg event on Aave.
Following the exploit, the attacker reportedly contacted the Scallop team, proposing to return 80% of the stolen funds in exchange for a white-hat bounty. The team is also reviewing how the vulnerability was missed despite previous security audits by firms including OtterSec and MoveBit. Neither the Sui Foundation nor Mysten Labs have issued a public statement on the matter.
This article is for informational purposes only and does not constitute investment advice.
