Scallop Protocol Drained of 150,000 SUI via Deprecated Contract Exploit

Scallop, a lending protocol on the Sui blockchain Network, reports a security breach on April 26, 2026, involving its sSUI reward pool. An attacker exploited a deprecated contract to drain approximately 150,000 SUI, valued at roughly $142,000 at the time of reporting. 

The attacker exploited a logic error in a legacy V2 rewards contract where the last_index variable was not initialized for new accounts. By staking 136,000 sSUI, the attacker forced the contract to calculate rewards based on a spool index that had grown to 1.19 billion over 20 months. This allowed the attacker to claim 162 trillion reward points, which were redeemed 1:1 for the pool's total SUI balance.

The stale V2 spool package was originally deployed in November 2023. Although Scallop passed a full audit in February 2025, this specific deprecated component remained active and callable on the network. 

The impact was limited to the sSUI reward pool, which was completely drained of its 150,000 SUI liquidity. The attacker moved the stolen assets through a mixing service on the Sui network to obscure the transaction trail. 

Scallop claims that its main lending and borrowing infrastructure was not breached. The protocol's treasury will be used to provide a 100% reimbursement to affected users.

Other reward pools and the current V3 core contracts were not affected by the flaw. The team froze the compromised contract within minutes of detecting the unusual activity.

Users are not required to take any direct action, as the protocol is handling the reimbursement process internally.