Scallop Protocol confirmed a $142,000 exploit on the Sui network after an attacker targeted a legacy rewards contract.
The breach occurred on April 26, 2026, and did not impact core lending operations.
The incident exposed risks tied to outdated smart contract versions that remain active on-chain. It also adds to a growing wave of DeFi security breaches recorded in April.
Scallop Protocol legacy contract flaw enables exploit on Sui
Scallop stated via X that the attacker exploited a legacy V2 spool contract tied to its sSUI rewards system. The team clarified that the vulnerable contract was deployed in November 2023.
Since Sui smart contracts remain immutable, older versions stay accessible unless restricted. This allowed the outdated contract to remain active and exploitable.
Developers identified an uninitialized variable, “last_index,” as the core issue. They explained that this parameter tracks accumulated rewards for participants.
Because it remained uninitialized during account creation, the attacker manipulated the system. The attacker joined the pool and claimed rewards as if they had participated from the start.
On-chain data showed the attacker staked about 136,000 SUI tokens. The spool index had reached roughly 1.19 billion over 20 months.
This gap enabled the attacker to assign themselves about 162 trillion reward points. Due to a one-to-one reward ratio, the attacker withdrew 150,000 tokens in a single transaction.
Blockchain records confirmed the transaction under hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL. The stolen funds were then routed through a privacy-focused mixing protocol, complicating recovery efforts.
Rapid response and rising DeFi losses
Scallop reported that it froze the compromised contract within minutes of detection. The team stated that core lending and borrowing services remained fully operational.
User deposits across other markets stayed protected during the incident.
The protocol confirmed it will cover the full loss using treasury reserves. It added that user yields will not face reductions.
By 14:42 UTC, Scallop restored normal deposit and withdrawal functions, less than two hours after the breach.
The team disclosed that the attacker later initiated contact. The individual proposed returning 80% of the funds in exchange for white-hat recognition and a bounty.
Scallop stated it is reviewing how audits by OtterSec and MoveBit failed to detect the flaw.
This incident follows a similar exploit on Volo Protocol, which resulted in $3.5 million in losses.
Data shows both attacks targeted peripheral contracts rather than core systems. April 2026 has recorded over $600 million in crypto thefts across 12 major incidents.
By mid-April, total losses exceeded $750 million. Kelp DAO and Drift Protocol accounted for about 95% of those losses, with Kelp alone creating $177 million in bad debt on Aave.Â
Scallop stated it will conduct a full security review of all legacy contracts.
About The Author
