Skip to main content
4 min read

Scallop Loses 150K SUI in
Deprecated sSUI Rewards Contract Exploit

Scallop, a Sui-based money market protocol, lost approximately 150,000 SUI after an attacker exploited a deprecated side contract tied to the sSUI spool rewards pool. The team froze the affected contract, said core lending and borrowing contracts were not impacted, and committed to covering 100% of the loss.

AUTOSEC.DEVAUTOSEC.DEV
Scallop Loses 150K SUI in Deprecated sSUI Rewards Contract Exploit
  • Incident Date: April 26, 2026
  • Target: Scallop
  • Target Overview: Scallop is a money market and lending protocol in the Sui ecosystem. The affected component was a peripheral rewards mechanism for the sSUI spool rewards pool, not the core lending and borrowing market.
  • Total Loss: ~150,000 SUI, reported at roughly $142,000 to $150,000 at the time of publication
  • Attack Vector: Deprecated Rewards Contract / Uninitialized Reward Index

Incident Review & Technical Details

1. Attack Path

  1. Legacy Contract Selected: The attacker targeted a deprecated V2 rewards-side contract related to Scallop's sSUI spool rewards pool. Public reporting and independent on-chain analysis indicate that the package dated back to November 2023 and was no longer part of Scallop's normal active user flow.
  2. Direct Call Bypassing the Modern SDK: Instead of interacting through Scallop's current SDK path, the attacker directly invoked the old package that remained callable on Sui. This matters because deployed Sui packages are immutable, so retired code can remain part of the practical attack surface unless shared objects enforce strict version checks.
  3. Reward Index Initialization Failure: The vulnerable account-creation path reportedly failed to initialize the last_index value for new spool accounts. Because it defaulted to zero, the reward calculation treated a fresh position as if it had been participating since the spool's earliest reward period.
  4. Reward Inflation and Drain: Reports state that the attacker staked roughly 136,000 sSUI and received credit against a spool index that had accumulated for about 20 months. The inflated accounting produced an outsized reward balance, allowing the attacker to drain approximately 150,000 SUI from the rewards pool in a single on-chain flow.
  5. Containment: Scallop froze the affected contract after detection. Follow-up reporting says the core contracts were later unfrozen and normal operations, including deposits and withdrawals, resumed after the team confirmed that the issue was isolated.

2. Impact Scope

  • Direct Losses: Approximately 150,000 SUI was removed from the sSUI rewards pool.
  • Affected Component: The affected component was a side contract tied to the sSUI spool rewards pool.
  • Unaffected Systems: Scallop stated that its core contracts and other reward pools remained safe. User deposits and core lending or borrowing positions were not reported as impacted.
  • Compensation Plan: Scallop committed to covering 100% of the loss, reducing the expected direct user impact from this incident.

3. Attribution Notes and Reporting Differences

Some media coverage described the incident as a flash-loan or oracle-manipulation attack. However, the more consistent public thread across Scallop's notice, BeInCrypto, Our Crypto Talk, Siam Blockchain, and independent on-chain analysis points to a deprecated rewards contract with an uninitialized reward-index variable as the key exploit path.

Until Scallop publishes a full post-mortem, the incident should be classified as a legacy package / stale contract lifecycle failure, rather than a confirmed core-protocol compromise.

4. Security Takeaways

  • Deprecated contracts are still live attack surface when they remain callable through shared objects.
  • SDK-level fixes are not enough if direct contract calls can bypass the safe path.
  • Reward accounting should defensively initialize index state, enforce version gates, and reject calls from retired package versions.
  • Sui protocols should maintain a lifecycle inventory covering every published package, not only the currently documented integration path.
  • Peripheral incentive systems deserve the same monitoring, audit coverage, and emergency controls as core vault or lending logic.

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

  1. Legacy Contract & Attack Surface Review: We help protocols inventory all deployed packages, adapters, reward modules, and historical versions that remain callable on-chain, then identify stale paths that bypass modern safeguards.
  2. Move / Sui Smart Contract Security Audit: We review reward-accounting logic, shared-object access controls, version checks, initialization invariants, and emergency pause behavior for Sui-based protocols.
  3. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

Reference

https://x.com/Scallop_io/status/2048384340049215835