Back

Scallop Protocol Exploit Drains 150K SUI Due to Deprecated Contract Vulnerability

Severity: High (Score: 69.0)

Sources: Chaincatcher, Mexc, Mexc.Co, Panewslab

Summary

On April 26, 2026, the Scallop Protocol, a DeFi platform on the Sui Network, suffered an exploit that drained approximately 150,000 SUI tokens from its sSUI rewards pool. The attacker targeted a deprecated V2 contract from November 2023, exploiting an uninitialized variable called 'last_index' which allowed them to claim rewards without prior staking. The exploit resulted in the attacker generating around 162 trillion reward points, which were converted to SUI tokens at a 1:1 ratio, leading to the total depletion of the rewards pool. Scallop's team acted quickly to freeze the affected contract and confirmed that the core protocol remained secure. They will cover the loss entirely from their treasury, ensuring no user yields will be diluted. The incident highlights the risks associated with immutable smart contracts and the need for version control. The attacker has since offered to return 80% of the stolen funds for a white-hat bounty. A full audit of legacy contracts is planned. Key Points: • Scallop lost approximately 150,000 SUI due to an exploit of a deprecated rewards contract. • The attacker exploited an uninitialized variable, allowing them to claim excessive rewards. • Scallop will fully cover the losses and has frozen the affected contract.

Key Entities

  • Data Breach (attack_type)
  • Zero-day Exploit (attack_type)
  • Scallop (company)
  • Scallop Protocol (company)
  • Aethir (company)
  • KelpDAO (company)
  • Litecoin (company)
  • Solana (platform)
  • Sui (platform)
  • Sui Network (platform)
  • Tornado Cash (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed