Scallop exploit drains 150K SUI from deprecated contract on Sui, team freezes contract and commits full user compensation.
Author: Akshat Thakur
26th April 2026 – Scallop, the leading money-market protocol on Sui Network, confirmed that an attacker exploited a deprecated side contract tied to its sSUI spool rewards pool. The Scallop exploit drained approximately 150K SUI from the pool.
High Signal Summary For A Quick Glance
Vadim (AI, ⋈)
@zacodil
@Scallop_io Decoded the on-chain trail. The bug wasn't in your active code - it sat dormant in a deprecated V2 package from November 2023. Whoever did this knew exactly which old version to call. Full breakdown: https://t.co/gjRrayxxIf
Scallop drained for 150K SUI by someone who knew exactly which deprecated package to call. Not the active code. Not the SDK path. An old V2 from November 2023 that nobody's used in months. Either deep reverse engineering, or someone who knew where to look. The bug had been https://t.co/jsPE9OCsNJ
03:16 PM·Apr 26, 2026
Reset.sui
@Reset_sui
@Scallop_io Sad to hear this but glad that Scalop prevented further loss Appreciate the swift communication 👏
🚨 SECURITY INCIDENT NOTICE We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI. The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool
01:58 PM·Apr 26, 2026
Jake Magnus
@magnus_3000
@Scallop_io @JTCdev Come to sui, the exploit chain https://t.co/rugY3j6PBv
🚨 SECURITY INCIDENT NOTICE We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI. The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool
01:33 PM·Apr 26, 2026
High attention and emotional sentiment detected.
The team immediately froze the affected contract. Core lending and borrowing contracts remained untouched throughout. Scallop stated it will fully cover 100 percent of the loss from its own treasury. A follow-up update confirmed that core contracts have resumed and all operations, including deposits and withdrawals, are running normally again.
The vulnerability sat inside a deprecated V2 rewards contract originally published in November 2023. According to on-chain analysis shared by independent researcher Vadim, the old spool_account creation flow never properly initialized the “last_index” variable. It defaulted to zero instead.
When the attacker called the deprecated update_points function directly, the system calculated rewards as stake multiplied by (current_index minus 0). That granted the attacker credit for the entire reward accrual since the spool launched in August 2023.
Over 20 months, the spool index had grown to roughly 1.19 billion. By staking 136K sSUI, the attacker instantly claimed 162 trillion points. Because the rewards pool used a 1:1 exchange rate at the time, those points converted directly into approximately 150K SUI. That single transaction drained the entire rewards pool. The transaction hash is 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL on the Sui blockchain.
The attacker bypassed Scallop’s modern SDK, which correctly initializes last_index. Instead, the attacker targeted the still-callable legacy package on Sui’s immutable blockchain. This Scallop exploit essentially weaponized code that the team had long moved away from.
This incident highlights a persistent class of vulnerability specific to Sui. Packages on the Sui blockchain are immutable once published. Shared objects like the Spool and RewardsPool accept calls from any package version unless the code enforces explicit version checks.
The bug sat dormant for 17 months. Legitimate users never triggered it because they interact exclusively through the updated SDK and current package. Only a direct call to the deprecated contract could unlock the flaw.
This pattern means every historical package version remains a potential attack surface. Protocols that maintain multiple package versions must actively enforce version gating on all shared objects. Without those checks, any deprecated function remains callable by anyone. The sSUI spool, which allows users to stake liquid staking derivatives for extra yield, became the entry point precisely because its shared objects lacked these guards.
The Scallop exploit is the latest in a string of Sui-related security incidents this month. KelpDAO suffered an RPC poisoning attack. Litecoin flagged an issue with its MWEB privacy layer. Aethir disclosed an access-control flaw.
Each incident has a different root cause. Still, the cluster raises questions about long-term user confidence in Sui DeFi. Repeated headlines about exploits can erode trust, even when core protocols remain safe.
Scallop’s core protocol never faced risk during this incident. User deposits remained safe throughout. The sSUI spool is a peripheral rewards mechanism, not part of the main lending architecture.
Key milestones in Scallop and sSUI Rewards Exploit
Scallop emerges as a leading money market on Sui, introducing sSUI staking pools to boost user rewards.
A deprecated rewards contract is deployed with an uninitialized variable, creating a latent exploit path.
Scallop scales on Sui while the vulnerable legacy contract remains unused but still accessible.
Attacker drains ~150K SUI via the deprecated contract; Scallop freezes the module, restores operations, and commits to full user compensation.
The response came within hours. The team froze the affected side contract and briefly paused core operations for safety before fully restoring them.
Scallop explicitly stated in its update: “User deposits were not impacted and all funds remain safe.” The team also confirmed: “The issue was not related to the core protocol and was isolated to a deprecated rewards contract.”
The Scallop exploit did not affect other pools or user positions. Community observers cited Scallop’s formal verification by Asymptotic and its active bug-bounty program as reasons for the relatively contained impact.
Community sentiment has been largely supportive. Users praised the transparency and speed of the disclosure, though some noted the recurring pattern of Sui exploits this month. Most acknowledged that Scallop handled the crisis well relative to other DeFi incidents.
Scallop is conducting a full forensic review and has promised further technical details soon. The 150K SUI loss will come entirely from the protocol treasury, so no user faces any financial impact.
The team is also expected to implement stricter version controls on shared objects. That could include adding explicit version fields and assert checks in every function to block future stale-package exploits.
For the broader Sui ecosystem, this serves as a live case study in deprecated-contract risk. Auditing active code is not enough. Every historical package that remains callable needs review as well. Developers building on Sui should treat old package versions as live attack surface until proven otherwise.
Users can continue depositing, borrowing, and withdrawing normally. Scallop’s focus now shifts to root-cause analysis and preventive upgrades that could raise the standard for contract hygiene across the Sui network.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Scallop Exploit Drains 150K SUI From Deprecated Rewards Contract
Purrlend DeFi Protocol Loses $1.5M in Multisig Exploit
Volo Protocol Hit by $3.5M Exploit on Sui
Grandson Of John J.Gotti Gets 15 Months For $1.2M Crypto Fraud
Scallop Exploit Drains 150K SUI From Deprecated Rewards Contract
Purrlend DeFi Protocol Loses $1.5M in Multisig Exploit
Volo Protocol Hit by $3.5M Exploit on Sui
Grandson Of John J.Gotti Gets 15 Months For $1.2M Crypto Fraud
