Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
Is Scallop Safe? What the April 2026 Exploit Revealed About DeFi Security
-
Q: Was Scallop hacked and what actually happened?
On April 26, 2026, Scallop suffered an exploit that drained approximately 150,000 SUI — worth around $40 million — from a deprecated rewards contract tied to its sSUI spool incentive layer. The attacker exploited a stale V2 spool package that Scallop had deployed in November 2023, more than 17 months before the attack. The vulnerability centered on an uninitialized last_index counter that tracks accumulated rewards for stakers. By staking roughly 136,000 sSUI, the attacker manipulated the math to treat their position as if it had existed since the spool launched in August 2023, harvesting approximately 162 trillion reward points that redeemed for 150,000 SUI from the rewards pool.Q: Were user funds at risk and how did Scallop respond?
Core lending and borrowing pools were never touched during the exploit — the attack targeted a peripheral deprecated contract, not the main protocol infrastructure. The Scallop team detected the incident quickly, froze the affected contract within minutes, and restored full protocol operations within under two hours. Most importantly, Scallop confirmed it would cover 100% of the loss from its own treasury without diluting user yields or affecting depositor balances in any way. The rapid response and commitment to full reimbursement were widely noted as a best-practice example of incident management in DeFi.
Q: What does this mean for the security of Scallop going forward?
The exploit highlighted a specific risk inherent to Sui's architecture: deployed packages are immutable, meaning old code versions remain callable on-chain indefinitely unless developers explicitly implement version-gating to block access. Scallop is expected to publish a full post-mortem and conduct a comprehensive audit of every remaining legacy package to identify and close similar vulnerabilities. The incident has also prompted broader discussion across the Sui DeFi ecosystem about how builders should manage immutable code and deprecated contracts over time — a challenge that will only grow as protocols accumulate more deployed packages with age.
