Key Takeaways
- Approximately $142,000 (150,000 SUI tokens) was drained from Scallop Protocol on April 26, 2026
- The exploiter targeted an obsolete V2 rewards contract initially deployed in November 2023
- A vulnerability involving an uninitialized “last_index” variable enabled the attacker to drain the full rewards balance
- The main protocol infrastructure and all user deposits remained secure; normal operations restored in under two hours
- The exploiter has proposed returning 80% of the stolen assets in exchange for a white-hat reward
A money market protocol operating on the Sui Network known as Scallop Protocol experienced a security breach on Sunday, resulting in the loss of roughly $142,000 in SUI tokens after an exploiter manipulated an abandoned rewards smart contract.
The security incident occurred on April 26, 2026. The Scallop team made the breach public at 12:50 UTC through an announcement on X (formerly Twitter).
The protocol’s primary infrastructure was not compromised. The attacker instead focused on an outdated ancillary contract associated with Scallop’s sSUI spool—the mechanism responsible for distributing rewards to SUI token depositors.
The vulnerable smart contract was part of a V2 spool package that had been deployed in November 2023, making it over 17 months old at the time of exploitation.
On the Sui network, smart contracts cannot be modified after deployment. Previous versions remain accessible and executable unless developers implement version restrictions or access controls. This architectural characteristic left the abandoned contract vulnerable to attack.
The critical vulnerability stemmed from an uninitialized variable named “last_index.” This parameter is designed to monitor accumulated reward entitlements for participants. Since this variable was never properly initialized when new accounts joined, the exploiter could enter the staking pool and extract rewards as though they had participated from inception.
The exploiter deposited approximately 136,000 sSUI tokens. Throughout 20 months, the spool index had accumulated to roughly 1.19 billion.
This differential allowed the attacker to allocate themselves approximately 162 trillion reward points. The rewards mechanism converted these points at parity, enabling the complete extraction of 150,000 SUI from the pool through a single transaction.
The blockchain transaction identified as 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL documents the withdrawal on-chain.
The stolen assets were rapidly transferred through a privacy mixer on Sui, comparable to Tornado Cash, complicating potential recovery efforts.
Team Response and Service Restoration
Scallop’s development team disabled the compromised contract within minutes of detecting the breach. The primary lending and borrowing mechanisms were not suspended. All user deposits across Scallop’s various markets remained fully protected.
The protocol confirmed it would absorb 100% of the financial loss from its treasury reserves. No reduction in user returns will occur.
At 14:42 UTC, Scallop reactivated the core contracts. Standard withdrawal and deposit functionality was restored to normal operation, less than two hours following the initial incident.
The exploiter subsequently reached out to the team with an offer to return 80% of the extracted funds in return for receiving a white-hat bounty payment. The team is currently examining how this vulnerability was not identified during previous security assessments conducted by OtterSec and MoveBit.
DeFi Losses Continue Mounting in April 2026
This security breach comes on the heels of a comparable exploit affecting Volo Protocol earlier this month, which resulted in approximately $3.5 million in losses. Both incidents exploited secondary contracts rather than primary protocol mechanisms.
April 2026 has witnessed more than $600 million in cryptocurrency thefts across 12 significant incidents. Total losses for the month surpassed $750 million by mid-April.
Kelp DAO and Drift Protocol represented approximately 95% of April’s cumulative losses. The Kelp incident alone generated $177 million in unrecoverable debt on the Aave platform.
Scallop’s development team has not yet released a comprehensive post-incident analysis. They have announced intentions to conduct a thorough security review of all remaining legacy contract packages.
Neither the Sui Foundation nor Mysten Labs has issued an official statement regarding this security incident.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
