Scallop Sui Exploit: $150K Lost in Deprecated Contract Attack, Users Fully Reimbursed

Scallop Sui Exploit: $150K Lost in Deprecated Contract Attack, Users Fully Reimbursed. Source: Sui/X

Scallop, a leading money market protocol on the Sui Network, experienced a security incident that resulted in the loss of approximately 150,000 SUI after an attacker exploited a deprecated rewards contract linked to its sSUI spool system. The exploit occurred on April 26 and targeted a non-core component, highlighting ongoing risks tied to outdated smart contract code in decentralized finance (DeFi).

According to Scallop’s official statement, the attack was identified and contained within minutes. The vulnerable contract was promptly frozen, preventing further damage, while core lending and borrowing operations remained fully secure. User deposits across all primary markets were unaffected, and normal protocol activity resumed within two hours.

Blockchain analysis revealed that the attacker leveraged an older V2 spool package published in November 2023. Since Sui’s architecture allows immutable smart contract deployment, legacy code can remain accessible unless properly restricted. The exploit stemmed from an uninitialized “last_index” variable, which is used to calculate staking rewards. By staking around 136,000 sSUI, the attacker manipulated the system into granting rewards as if the position had existed since the spool’s launch in August 2023.

This miscalculation allowed the attacker to accumulate an enormous reward balance, ultimately converting it into roughly 150,000 SUI from the rewards pool. The transaction has been publicly verified on-chain, reinforcing transparency around the incident.

Scallop has committed to fully reimbursing all losses from its treasury, ensuring no impact on user funds or yields. This event mirrors recent Sui DeFi exploits, where attackers increasingly target peripheral or outdated contracts instead of core protocol infrastructure.

The incident underscores the importance of proactive smart contract management, particularly on platforms like Sui where immutable code can create hidden vulnerabilities over time.