What happened in the Scallop SUI exploit?

Scallop lost about 150,000 SUI after an attacker exploited a deprecated rewards contract tied to its sSUI incentive system. The attack targeted an outdated component rather than the core lending protocol. The team responded quickly by freezing the affected contract.

Were user funds affected in the Scallop exploit?

User deposits and core lending pools on Scallop were not affected by the exploit. The issue was isolated to a peripheral rewards contract. Scallop also confirmed it will fully reimburse the loss using its treasury.

How did the attacker exploit the Scallop contract?

The attacker exploited an uninitialised reward index in an old V2 spool contract released in November 2023. By staking around 136,000 sSUI, the attacker manipulated reward calculations. This allowed them to claim inflated rewards and withdraw roughly 150,000 SUI.

What is the sSUI spool in Scallop?

The sSUI spool is Scallop’s reward mechanism for users who deposit SUI into the protocol. It distributes incentives based on staking activity and accumulated rewards. The exploit specifically targeted this rewards layer, not the lending system itself.

Why was an old contract still exploitable on the Sui Network?

On the Sui Network, deployed smart contracts are immutable and remain accessible unless restricted. This means outdated or deprecated versions can still be called if not properly gated. In this case, the old contract remained vulnerable.

How quickly did Scallop respond to the exploit?

Scallop froze the affected contract within minutes of detecting the exploit. Core operations resumed within two hours, including deposits and withdrawals. This fast response helped contain the damage and protect users.

Is this exploit part of a larger trend on Sui?

Yes, the incident follows similar exploits on the Sui ecosystem, including one involving Volo Protocol. These attacks have targeted peripheral or outdated contracts rather than core protocol logic. This suggests a recurring risk in legacy code management.

What are the key risks highlighted by this exploit for DeFi users?

The main risk is that even unused or deprecated contracts can remain exploitable if not properly disabled. This creates hidden vulnerabilities outside the main protocol. Users should be aware that not all risks come from core smart contracts.

Scallop exploit drains 150K SUI funds

Written by Mahathir BayenaPublished Apr. 27 2026

Scallop lost around 150,000 SUI after an attacker exploited a deprecated rewards contract linked to its sSUI incentive mechanism.

The exploit targeted a peripheral contract rather than core lending pools, with user deposits remaining unaffected and protocol operations resuming within two hours.

“Scallop will fully cover 100% of the loss,”

The team said in a public statement following the incident.

The vulnerability stemmed from an outdated V2 spool contract released in November 2023, where an uninitialised reward index allowed the attacker to claim inflated rewards.

On-chain analysis showed the attacker staked roughly 136,000 sSUI and exploited a reward index that had accumulated over time, enabling the withdrawal of approximately 150,000 SUI.

The incident follows similar attacks across the Sui Network ecosystem, including a recent exploit at Volo Protocol, highlighting risks in peripheral smart contracts rather than core systems.

Despite the breach, Scallop confirmed it will absorb the losses without impacting users, as scrutiny grows on legacy code and contract versioning practices in DeFi.

At the time of reporting, Sui price was $0.9449.