Key Takeaways
- Approximately $142,000 (150,000 SUI tokens) was stolen from Scallop Protocol on April 26, 2026
- The hacker exploited a legacy V2 rewards contract originally deployed in November 2023
- A critical flaw involving an uninitialized “last_index” variable enabled the attacker to drain the entire rewards pool
- User deposits and core protocol functions remained secure; normal operations resumed in under two hours
- The exploiter proposed returning 80% of stolen assets in exchange for a white-hat bounty
Scallop Protocol, a decentralized lending platform operating on the Sui Network, experienced a security breach on Sunday resulting in the theft of approximately $142,000 in SUI tokens after a hacker exploited a long-abandoned rewards contract.
The security incident occurred on April 26, 2026, with Scallop making the breach public at 12:50 UTC through an announcement on X (formerly Twitter).
Rather than compromising the main protocol infrastructure, the perpetrator focused their attack on a peripheral contract associated with Scallop’s sSUI spool—a rewards distribution mechanism for users who deposit SUI tokens.
The vulnerable contract was part of a V2 spool package originally launched in November 2023, making it over 17 months old at the time of exploitation.
A distinctive characteristic of the Sui network is that once contracts are deployed, they become immutable. Legacy versions remain accessible and executable unless developers implement version control mechanisms to restrict access. This architectural design inadvertently left the obsolete contract exposed as a potential attack vector.
The vulnerability stemmed from an uninitialized variable labeled “last_index,” which functions as a tracker for accumulated staking rewards. Since this variable wasn’t properly initialized when new accounts were established, the attacker could join the pool and illegitimately claim rewards as though they had participated from inception.
The exploiter deposited approximately 136,000 sSUI tokens into the system. Meanwhile, the spool index had accumulated to roughly 1.19 billion over its 20-month operational period.
This discrepancy allowed the attacker to artificially assign themselves around 162 trillion reward points. Since the rewards pool operated on a one-to-one exchange ratio, the entire 150,000 SUI balance was extracted in a single transaction.
The blockchain transaction with hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL provides on-chain evidence of the fund withdrawal.
Following the theft, the stolen assets were rapidly transferred through a privacy-enhancing mixing protocol on Sui, comparable to Tornado Cash, significantly complicating fund recovery efforts.
Protocol Team Takes Swift Action and Restores Service
Scallop’s development team acted quickly to freeze the compromised contract within minutes of detecting the breach. Importantly, the core lending and borrowing pools continued operating without interruption. Customer deposits across all other Scallop markets remained completely protected.
The protocol team announced they would absorb the entire $142,000 loss from their treasury reserves. No adjustments will be made to user yields or returns.
By 14:42 UTC, Scallop had restored full functionality to the core contracts. Deposit and withdrawal services returned to normal operation less than two hours after the initial incident.
In a surprising development, the attacker subsequently reached out to the team with an offer to return 80% of the stolen funds if granted a white-hat bounty. The development team is currently reviewing how the vulnerability evaded detection during previous security audits conducted by OtterSec and MoveBit.
DeFi Security Challenges Continue Through April 2026
This breach comes on the heels of a comparable exploit targeting Volo Protocol earlier this month, which resulted in approximately $3.5 million in losses. Both incidents involved attacks on auxiliary contracts rather than primary protocol infrastructure.
April 2026 has witnessed more than $600 million in cryptocurrency theft distributed across 12 significant security incidents. Total losses for the month surpassed $750 million by mid-April.
Kelp DAO and Drift Protocol represented approximately 95% of April’s aggregate losses. The Kelp security breach alone generated $177 million in uncollateralized debt on the Aave lending platform.
Scallop’s team has not yet released a comprehensive post-mortem analysis. They have committed to conducting a thorough security review of all remaining legacy contract packages.
Both the Sui Foundation and Mysten Labs have not issued public statements regarding this security incident.
