Scallop Protocol, a leading lending platform on the Sui network, lost about $142,000 in SUI tokens late Sunday following a targeted flash loan exploit. Notably, the attack bypassed the protocol’s active infrastructure entirely, targeting a deprecated rewards contract, while leaving its core system untouched.
The team disclosed the incident on X, stating, “We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool,” and froze the affected contract. Scallop said core contracts remain secure and user deposits were not affected. It added, “Scallop will fully cover 100% of the loss.”
Deprecated code as a hidden attack surface
The attacker targeted a deprecated V2 contract deployed in November 2023, which remained accessible on-chain under Sui’s immutable design. Instead of using standard SDK pathways, the attacker interacted directly with the older contract version.
On-chain analyst Vadim said, “Scallop drained for 150K SUI by someone who knew exactly which deprecated package to call,” pointing to a flaw tied to an uninitialized last_index variable. The issue allowed the attacker to claim rewards based on the full historical index rather than a user-specific starting point.
By staking 136,000 sSUI, the attacker manipulated the system’s verification logic to receive massively inflated rewards, effectively draining the side pool. Additionally, the attacker briefly tampered with Scallop’s price feeds, skewing SUI/USDC rates to borrow assets cheaply before repaying the flash loan in a single transaction block.
Broader DeFi risks
Scallop has since resumed operations, saying, “User deposits were not impacted and all funds remain safe,” with withdrawals and deposits functioning normally. The attacker has reportedly offered to return 80% of the funds in exchange for a bounty, though Scallop has not yet confirmed an agreement.
The exploit adds to mounting losses across the decentralized finance sector. April 2026 has seen more than $606 million in losses, making it one of the sector’s worst months and the Scallop incident marking the 13th recorded breach.
Analyst Crypto Patel said “Audited does not mean safe,” citing incidents such as Kelp DAO’s $292 million loss despite multiple audits. Sui-based platforms including Cetus, Nemo and Volo have also reported breaches over the past year.
The string of incidents is increasing scrutiny on how developers manage legacy contracts, particularly in systems where older versions remain accessible on-chain.
Also Read: Weekly Wrap: $292M KelpDAO Hack Hits Aave, RaveDAO Erases $6B, CLARITY Act Delayed
