TLDR
- A security breach cost Scallop Protocol approximately $142,000 (150,000 SUI tokens) on April 26, 2026
- The exploit leveraged a legacy V2 rewards contract originally deployed in November 2023
- A critical flaw involving an uninitialized “last_index” variable enabled draining of the complete rewards pool
- User deposits and main protocol functions remained secure; normal operations restored in under two hours
- The exploiter has proposed returning 80% of stolen assets in exchange for a white-hat bug bounty
A DeFi lending platform operating on Sui Network, Scallop Protocol, experienced a security breach on Sunday resulting in the theft of approximately $142,000 in SUI tokens through exploitation of an outdated rewards smart contract.
🚨 SECURITY INCIDENT NOTICE
We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI.
The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool…
— Scallop (@Scallop_io) April 26, 2026
The breach occurred on April 26, 2026, with Scallop making a public announcement about the incident at 12:50 UTC through their X platform account.
Rather than compromising the main protocol infrastructure, the malicious actor focused on a legacy auxiliary contract associated with Scallop’s sSUI spool—the rewards mechanism for users who deposit SUI tokens.
The vulnerable contract was a V2 spool package that went live in November 2023, making it over 17 months old at the time of exploitation.
Within the Sui network architecture, smart contracts are permanently deployed. Historical contract versions remain active and accessible unless developers implement explicit version restrictions. This architectural characteristic left the obsolete contract vulnerable to exploitation.
The fundamental security weakness centered on an uninitialized variable labeled “last_index,” which maintains a record of accrued rewards for participants in the staking pool. Since this counter lacked proper initialization during new account creation, the exploiter could join the rewards pool and extract rewards retroactively as though they had participated from inception.
The malicious actor deposited approximately 136,000 sSUI tokens into the system. Over the course of 20 months, the spool index had accumulated to roughly 1.19 billion.
This substantial differential allowed the attacker to falsely credit their account with approximately 162 trillion reward points. Operating on a one-to-one conversion rate, the rewards pool released its entire balance of 150,000 SUI in a single transaction.
The blockchain transaction 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL provides on-chain evidence of the withdrawal.
The compromised assets were promptly transferred through a Sui-based privacy mixer comparable to Tornado Cash, significantly complicating fund recovery efforts.
Scallop Responds and Resumes Operations
Scallop’s development team acted swiftly to freeze the compromised contract just minutes following detection of the attack. The primary lending and borrowing functions continued operating without interruption. Customer deposits across all other Scallop products remained fully protected.
The protocol’s management has committed to absorbing the complete financial loss through its treasury reserves. User yields and returns will not be impacted.
At 14:42 UTC, Scallop reinstated access to the main contracts. Standard withdrawal and deposit functionality returned to normal operation less than two hours from the initial breach.
Subsequently, the exploiter initiated communication with the development team, proposing to return 80% of the stolen assets in return for recognition as a white-hat security researcher and a corresponding bounty. The team is currently reviewing how this vulnerability evaded detection during previous security audits conducted by OtterSec and MoveBit.
April 2026’s Growing DeFi Loss Tally
This security incident comes on the heels of a comparable breach targeting Volo Protocol earlier this month, which resulted in losses approaching $3.5 million. Both situations involved peripheral contract vulnerabilities rather than compromises to core protocol architecture.
The month of April 2026 has witnessed more than $600 million in cryptocurrency thefts distributed across 12 significant security incidents. Total losses for the month surpassed $750 million by mid-April.
Kelp DAO and Drift Protocol represented approximately 95% of April’s cumulative losses. The Kelp breach alone generated $177 million in uncollateralized debt on the Aave platform.
Scallop’s development team has yet to release a comprehensive technical post-mortem analysis. They have announced intentions to conduct a thorough security review of all remaining legacy contract packages.
Neither the Sui Foundation nor Mysten Labs has issued an official statement regarding this security incident.
