TLDR
- An exploit on April 26, 2026 resulted in Scallop Protocol losing approximately $142,000 (150,000 SUI tokens)
- The attack focused on an obsolete V2 rewards contract originally deployed in November 2023
- A vulnerability involving an uninitialized “last_index” variable enabled the attacker to drain the entire rewards pool
- User deposits and core protocol infrastructure remained secure; normal operations restored within 120 minutes
- The exploiter proposed returning 80% of the stolen assets in exchange for a white-hat bounty
A money market protocol operating on the Sui Network known as Scallop Protocol experienced a security breach on Sunday, resulting in the theft of approximately $142,000 in SUI tokens after a malicious actor exploited a legacy rewards contract.
The security incident occurred on April 26, 2026, with Scallop making a public announcement via X at 12:50 UTC to inform users of the breach.
The malicious actor avoided the main protocol infrastructure entirely. Their focus centered on an older auxiliary contract connected to Scallop’s sSUI spool, which manages the rewards distribution mechanism for users who deposit SUI tokens.
The vulnerable contract was a V2 spool package that had been deployed in November 2023. This means it had been active for over 17 months prior to the exploitation.
On the Sui network, smart contracts become immutable once deployed. Earlier versions remain active and accessible unless developers implement version gating mechanisms to restrict access. This architectural characteristic meant the outdated contract remained a potential vulnerability.
The primary security flaw centered on an uninitialized variable labeled “last_index.” This tracking mechanism monitors accumulated rewards for participants. Since this variable wasn’t initialized during new account creation, the exploiter could join the pool and claim rewards retroactively as though they had been staking from the contract’s inception.
The malicious actor deposited approximately 136,000 sSUI tokens. Over the 20-month period, the spool index had accumulated to roughly 1.19 billion.
This mathematical discrepancy allowed the attacker to assign themselves approximately 162 trillion reward points. With the rewards pool operating on a one-to-one exchange rate, the entire reserve of 150,000 SUI was extracted in a single transaction.
The blockchain transaction with hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL provides on-chain verification of the drainage event.
The stolen assets were rapidly transferred through a Sui-based mixing protocol similar to Tornado Cash, complicating potential recovery efforts.
Scallop Responds and Resumes Operations
Scallop’s development team acted swiftly to freeze the compromised contract within minutes of detecting the attack. The core lending and borrowing infrastructure remained operational throughout the incident. All user deposits across Scallop’s various markets remained fully protected.
The protocol announced it would absorb the complete loss from its treasury reserves. User yield rates will not be impacted by the incident.
By 14:42 UTC, Scallop had lifted restrictions on core contracts. Standard withdrawal and deposit functionality was restored, with total downtime lasting under two hours from initial detection.
The attacker subsequently reached out to the development team with a proposal to return 80% of the extracted funds in exchange for recognition as a white-hat security researcher. The team is currently examining how this vulnerability evaded detection during previous security audits conducted by OtterSec and MoveBit.
April 2026’s Growing DeFi Loss Tally
This security breach follows a comparable incident involving Volo Protocol earlier in April, which resulted in losses of approximately $3.5 million. Both incidents targeted auxiliary contracts rather than primary protocol mechanisms.
April 2026 has witnessed more than $600 million in stolen cryptocurrency across 12 significant security incidents. Total losses for the month surpassed $750 million by mid-April.
Kelp DAO and Drift Protocol represented approximately 95% of April’s aggregate losses. The Kelp security breach alone generated $177 million in bad debt on the Aave platform.
Scallop’s development team has not yet released a comprehensive post-mortem analysis. They have confirmed plans for a thorough security review of all remaining legacy contract packages.
Neither the Sui Foundation nor Mysten Labs has issued an official statement regarding this security incident.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
