TLDR
- Scallop Protocol lost ~$142,000 (150,000 SUI) in an exploit on April 26, 2026
- An attacker targeted a deprecated V2 rewards contract from November 2023
- An uninitialized “last_index” variable let the attacker claim the entire rewards pool
- Core protocol and user deposits were unaffected; operations resumed within two hours
- The attacker offered to return 80% of funds as a white-hat bounty
Scallop Protocol, a money market built on the Sui Network, lost around $142,000 worth of SUI tokens on Sunday after an attacker exploited a deprecated rewards contract.
🚨 SECURITY INCIDENT NOTICE
We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI.
The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool…
— Scallop (@Scallop_io) April 26, 2026
The exploit happened on April 26, 2026. Scallop disclosed the incident publicly at 12:50 UTC via a post on X.
The attacker did not touch the core protocol. Instead, they targeted an older side contract tied to Scallop’s sSUI spool, which is the rewards layer for SUI depositors.
The contract in question was a V2 spool package published in November 2023. That is more than 17 months before the attack took place.
On the Sui network, deployed contracts are immutable. Old versions stay live and callable unless developers explicitly block access through version gating. That design left the outdated contract as an open attack surface.
The core flaw was an uninitialized variable called “last_index.” This counter tracks accumulated rewards for stakers. Because it was never set when a new account was created, the attacker could enter the pool and claim rewards as if they had been staking since the very beginning.
The attacker staked around 136,000 sSUI. The spool index had grown to approximately 1.19 billion over 20 months.
That gap let the attacker credit themselves with around 162 trillion reward points. The rewards pool exchanged those points at a one-to-one rate, and the entire pool of 150,000 SUI was drained in a single transaction.
The transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL records the drain on-chain.
Stolen funds were quickly moved through a mixing service on Sui, similar to Tornado Cash, making recovery more difficult.
Scallop Responds and Resumes Operations
Scallop’s team froze the affected contract within minutes of the attack. Core lending and borrowing pools were not paused. User deposits across all other Scallop markets remained safe.
The protocol confirmed it will cover 100% of the loss from its own treasury. No user yields will be diluted.
By 14:42 UTC, Scallop had unfrozen the core contracts. Withdrawals and deposits resumed normally, less than two hours after the incident began.
The attacker later contacted the team and offered to return 80% of the stolen funds in exchange for a white-hat bounty. The team is now investigating how the flaw passed earlier audits by OtterSec and MoveBit.
April 2026’s Growing DeFi Loss Tally
This attack follows a similar exploit on Volo Protocol earlier in April, which lost around $3.5 million. Both cases targeted peripheral contracts rather than core protocol logic.
April 2026 has now seen over $600 million in stolen funds across 12 major incidents. Cumulative losses for the month exceeded $750 million by mid-April.
Kelp DAO and Drift Protocol accounted for roughly 95% of April’s losses. The Kelp attack alone caused $177 million in bad debt on Aave.
Scallop’s team has not yet published a full post-mortem. They have indicated a complete audit of all remaining legacy packages is planned.
Neither the Sui Foundation nor Mysten Labs has made a public statement on the incident.
