The team has already pledged to fully reimburse affected users.

Scallop loses $142,000 due to legacy contract vulnerability on Sui

27.04.2026 - 10:40

220

3 min

Key points:

  • Scallop lost around $142,000 due to a flaw in an older rewards contract.
  • An attacker exploited a bug in the reward calculation and drained the entire pool in a single transaction.

Scallop, a money market protocol on Sui, was hit for roughly $142,000 in SUI tokens after a vulnerability in a legacy rewards contract was exploited.

Source: X.com

The attack did not impact the core protocol. Instead, the attacker targeted an older auxiliary contract tied to the sSUI rewards mechanism, which distributes incentives to SUI depositors.

The issue traces back to spool V2, released in November 2023—more than 17 months before the exploit. On Sui, deployed contracts are immutable. If older versions aren’t restricted, they remain accessible, which created the attack surface in this case.

Volo crypto platform hack: what's known about the $3.5 Million theft

Volo crypto platform hack: what's known about the $3.5 Million theft

The team froze part of its funds and stated its readiness to cover losses without user participation.

Читать дальше

The root cause was an uninitialized variable, last_index, used to track accumulated rewards. Because it wasn’t set when a new account was created, the attacker could claim rewards as if they had been staking since the beginning.

The stolen funds were quickly routed through a mixing service on Sui, similar to Tornado Cash, making them much harder to trace.

Scallop’s Response and Recovery

The Scallop team froze the affected contract within minutes. Core functions like lending and borrowing continued operating without interruption, and user funds in other markets remained safe.

The project committed to covering 100% of the losses from its treasury. User yields will not be reduced.

Core contracts were restored, and deposits and withdrawals resumed normal operation in under two hours after the attack.

Later, the attacker contacted the team and offered to return 80% of the funds in exchange for a “white hat” bounty. The team is now investigating why the vulnerability was not flagged in audits by OtterSec and MoveBit.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy