Scallop loses $142,000 due to legacy contract vulnerability on Sui
The team has already pledged to fully reimburse affected users.
27.04.2026 - 10:40
220
3 min
0
Key points:
- Scallop lost around $142,000 due to a flaw in an older rewards contract.
- An attacker exploited a bug in the reward calculation and drained the entire pool in a single transaction.
Scallop, a money market protocol on Sui, was hit for roughly $142,000 in SUI tokens after a vulnerability in a legacy rewards contract was exploited.
The attack did not impact the core protocol. Instead, the attacker targeted an older auxiliary contract tied to the sSUI rewards mechanism, which distributes incentives to SUI depositors.
The issue traces back to spool V2, released in November 2023—more than 17 months before the exploit. On Sui, deployed contracts are immutable. If older versions aren’t restricted, they remain accessible, which created the attack surface in this case.
Volo crypto platform hack: what's known about the $3.5 Million theft
The team froze part of its funds and stated its readiness to cover losses without user participation.
The root cause was an uninitialized variable, last_index, used to track accumulated rewards. Because it wasn’t set when a new account was created, the attacker could claim rewards as if they had been staking since the beginning.
The stolen funds were quickly routed through a mixing service on Sui, similar to Tornado Cash, making them much harder to trace.
Scallop’s Response and Recovery
The Scallop team froze the affected contract within minutes. Core functions like lending and borrowing continued operating without interruption, and user funds in other markets remained safe.
The project committed to covering 100% of the losses from its treasury. User yields will not be reduced.
Core contracts were restored, and deposits and withdrawals resumed normal operation in under two hours after the attack.
Later, the attacker contacted the team and offered to return 80% of the funds in exchange for a “white hat” bounty. The team is now investigating why the vulnerability was not flagged in audits by OtterSec and MoveBit.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026

Telegram
Twitter