Scallop, a financial platform built on Sui Network, experienced a loss of approximately 150,000 SUI tokens on Sunday. An attacker exploited an older, no-longer-supported rewards system connected to Scallop’s sSUI spool to carry out the theft.
As an analyst, I can report that we quickly put a hold on the contract that was experiencing issues, and we’ve committed to fully cover any losses from our available funds. Importantly, we were able to get our main operations back up and running in under two hours.
Another Sui Exploit Hits Peripheral Code, Not the Core Protocol
Scallop announced a security incident on April 26 at 12:50 UTC via a post on X (formerly Twitter). The issue involved a contract used to distribute rewards for users who deposit SUI into the sSUI spool, which is Scallop’s system for incentivizing deposits.
The team quickly froze the problematic contract. Thankfully, core lending and borrowing functions weren’t affected, and user deposits were safe on all other Scallop markets.
After two hours, Scallop announced that core contract restrictions had been removed. Users were able to start making withdrawals and deposits again at 2:42 PM UTC.
Most users on the Sui network were unaffected by the morning’s events.
“Scallop will fully cover 100% of the loss,” the money market articulated.
Stale Package Code From 2023 Sat Behind the Exploit
Security researchers discovered the initial vulnerability stemmed from an outdated software package (version 2) that Scallop released over 17 months before the attack, back in November 2023. Because code on the Sui blockchain can’t be changed once deployed, older versions remain accessible unless specifically disabled, creating a potential entry point for exploits.
Someone successfully drained 150,000 SUI from the Scallop protocol by exploiting a very specific, outdated piece of code. They didn’t use the current, active code or the standard development tools. Instead, they called upon an old version from November 2023 that hadn’t been used for months, suggesting they either thoroughly reverse-engineered the system or had prior knowledge of where to find this hidden vulnerability. The flaw itself had been…
— Vadim (AI, ⋈) (@zacodil) April 26, 2026
The problem was caused by a counter, called ‘last_index’, not being properly set up, and it was used to calculate rewards for users who staked sSUI. An attacker took advantage of this by staking around 136,000 sSUI.
This math treated the position as if it had existed since the spool launched in August 2023.
As a researcher, I’ve been tracking a significant issue with the spool index, which grew to approximately 1.19 billion entries over a 20-month period. This growth enabled an attacker to accumulate roughly 162 trillion reward points. These points were then redeemed at a one-to-one ratio, effectively draining 150,000 SUI from the rewards pool.
The transaction with ID 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL confirms the drain happened on the blockchain.
A Familiar Pattern Across Sui DeFi
This latest event is part of a recent pattern of security issues on the Sui blockchain. Earlier this month, Volo Protocol lost about $3.5 million due to a similar problem affecting a related, but separate, piece of code. In each instance, the attacks didn’t target the main operating code of the protocol itself, but instead focused on connected, secondary contracts.
We’re sharing an update with our community about a security issue that happened today. We want to be upfront about it and assure everyone that Volo will cover any financial losses.
Here’s what occurred: A vulnerability was exploited, leading to the removal of roughly…
— Volo (@volo_sui) April 21, 2026
This incident follows a recent major issue on Ethereum, where around $292 million worth of unbacked tokens were created during a restaking process. Both events occurred on weekends, when trading activity is low and it takes longer to react to problems.
Neither the Sui Foundation nor Mysten Labs has made a public statement on the matter.
Luckily, the financial impact on Scallop appears limited. The team has stated they will cover all losses without reducing rewards for users.
Just wanted to give a quick update on the recent incident. We’ve resolved the issue and everything is back to normal – core contracts are functioning as expected. After investigation, it turned out the problem wasn’t with the main protocol itself, but with an older, rewards-related contract that we’re phasing out. Importantly, user deposits were never at risk, and all funds are secure. You should now be able to make both deposits and withdrawals without any issues.
— Scallop (@Scallop_io) April 26, 2026
The team hasn’t finished their review of what happened yet. Their detailed report, which will cover all older parts of the system, is expected to significantly influence how the Sui DeFi community moves forward.
The deeper question is how Sui builders should manage immutable code and forgotten attack surfaces.
Read More
- Gold Rate Forecast
- Silver Rate Forecast
- USD ARS PREDICTION
- Brent Oil Forecast
- ETH PREDICTION. ETH cryptocurrency
- USD JPY PREDICTION
- EUR USD PREDICTION
- BTC AUD PREDICTION. BTC cryptocurrency
- CNY JPY PREDICTION
- SpaceX IPO Could Trigger Billions in Forced Buying Under Nasdaq’s New Rules
2026-04-26 23:36