Key Points
- Scallop Protocol experienced a loss of approximately $142,000 (150,000 SUI) during an April 26, 2026 security breach
- The breach focused on an abandoned V2 rewards contract originally deployed in November 2023
- A vulnerability involving an uninitialized “last_index” variable enabled complete rewards pool drainage
- Main protocol infrastructure and user deposits remained secure; normal operations continued after two hours
- The individual responsible proposed returning 80% of the funds through a white-hat agreement
Scallop Protocol, a lending platform operating on the Sui Network, experienced a security breach resulting in approximately $142,000 worth of SUI tokens being stolen on Sunday. The breach stemmed from vulnerabilities in an abandoned rewards contract.
The security incident occurred on April 26, 2026. Scallop made a public announcement regarding the breach at 12:50 UTC through their official X account.
The primary protocol infrastructure remained intact during the breach. The attacker focused their efforts on a legacy contract associated with Scallop’s sSUI spool, which manages reward distribution for SUI token depositors.
The vulnerable contract was a V2 spool package that went live in November 2023. This means the contract had been active for over 17 months before the exploitation took place.
On the Sui network, smart contracts become permanent once deployed. Previous versions remain accessible and executable unless developers implement specific version control barriers. This architectural characteristic transformed the outdated contract into a persistent vulnerability.
The primary vulnerability centered on an uninitialized variable labeled “last_index.” This variable functions as a tracker for accumulated staking rewards. The absence of initialization during new account creation allowed the attacker to enter the staking pool and extract rewards calculated as though their participation dated back to the pool’s inception.
The attacker deposited approximately 136,000 sSUI into the system. Over 20 months, the spool index had accumulated to roughly 1.19 billion.
This differential enabled the attacker to assign themselves approximately 162 trillion reward points. The rewards mechanism converted these points at parity, resulting in the complete extraction of 150,000 SUI through a single transaction.
The on-chain transaction identifier 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL documents the withdrawal.
Extracted tokens were immediately routed through a Sui-based mixing service, functioning similarly to Tornado Cash, which complicates fund recovery efforts.
Scallop’s Immediate Response and Service Restoration
Scallop’s engineering team disabled the compromised contract within minutes of detection. Primary lending and borrowing infrastructure remained operational throughout the incident. Depositor assets across all Scallop markets maintained complete security.
The protocol announced full reimbursement of the loss from internal treasury reserves. User yield distributions will face no dilution.
At 14:42 UTC, Scallop reactivated the main contracts. Standard withdrawal and deposit functionality returned to normal operation less than two hours following the initial breach.
The individual behind the attack subsequently reached out to the team with a proposal to restore 80% of the extracted funds in return for white-hat bounty compensation. The team has initiated an investigation into how this vulnerability escaped detection during previous security audits conducted by OtterSec and MoveBit.
DeFi Security Landscape in April 2026
This incident arrives after a comparable breach affecting Volo Protocol earlier this month, which resulted in approximately $3.5 million in losses. Both situations involved secondary contracts rather than primary protocol infrastructure.
April 2026 has recorded over $600 million in stolen cryptocurrency across 12 significant security incidents. Total losses for the month surpassed $750 million by mid-April.
Kelp DAO and Drift Protocol represented approximately 95% of April’s total losses. The Kelp breach alone generated $177 million in uncollateralized debt on Aave.
Scallop’s development team has yet to release a comprehensive post-incident analysis. They have committed to conducting a thorough audit of all remaining legacy contract packages.
Neither the Sui Foundation nor Mysten Labs has issued an official response regarding this security incident.
