Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
Scallop Loses 150,000 SUI in Exploit Targeting Deprecated Rewards Contract
-
Scallop, a money market protocol on the Sui Network, was drained of approximately 150,000 SUI on Sunday after an attacker exploited a deprecated rewards contract tied to the protocol's sSUI spool — the incentive layer for SUI depositors. The team detected the incident and froze the affected contract within minutes of the attack, disclosed publicly at 12:50 UTC on April 26. Core lending and borrowing pools were never touched, user deposits across every other Scallop market remained safe, and the freeze on core contracts was lifted just under two hours later at 14:42 UTC. Scallop confirmed it will cover 100% of the loss from its treasury without diluting user yields.
The exploit traced back to a deprecated V2 spool package that Scallop had published in November 2023 — more than 17 months before the attack. On Sui, deployed packages are immutable, meaning old versions remain callable unless developers explicitly implement version-gating to block access. The attacker identified an uninitialized last_index counter in the stale code, which tracks accumulated rewards for stakers, and staked roughly 136,000 sSUI to exploit it. The math treated the position as if it had existed since the spool launched in August 2023, allowing the attacker to harvest approximately 162 trillion reward points that redeemed one-to-one for 150,000 SUI from the rewards pool. A full post-mortem and audit of remaining legacy packages is expected to follow. -
frozen in minutes, fixed in two hours, treasury covering 100% of losses. Scallop's crisis comms team was ready. the security team less so.
