Scallop Protocol Suffers $142K Security Breach on Sui Blockchain

Key Takeaways

• Scallop Protocol experienced a security breach resulting in approximately $142,000 (150,000 SUI tokens) stolen on April 26, 2026
• The vulnerability existed in an outdated V2 rewards contract originally deployed in November 2023
• A critical flaw involving an uninitialized “last_index” variable enabled the attacker to drain the entire rewards balance
• User deposits and primary protocol functions remained secure; normal operations continued within a two-hour window
• The perpetrator has proposed returning 80% of the stolen assets in return for a white-hat reward

A DeFi lending platform operating on Sui Network, Scallop Protocol, suffered a security breach that resulted in approximately $142,000 in SUI tokens being stolen on Sunday following an exploit of a legacy rewards smart contract.

The security incident occurred on April 26, 2026, with Scallop making the breach public at 12:50 UTC through an announcement on X (formerly Twitter).

Rather than compromising the primary protocol infrastructure, the perpetrator focused their attack on an obsolete auxiliary contract connected to Scallop’s sSUI spool—a rewards distribution mechanism designed for SUI token depositors.

The vulnerable smart contract was a V2 spool package that had been deployed in November 2023, making it over 17 months old at the time of exploitation.

On the Sui network, smart contracts become immutable once deployed. Previous versions remain active and accessible unless developers implement explicit version-based access restrictions. This architectural characteristic allowed the legacy contract to persist as an exploitable vulnerability.

The critical security weakness centered on an uninitialized variable named “last_index.” This parameter is designed to monitor accumulated rewards for participants in the staking system. Since this variable was never properly initialized during new account creation, the attacker could join the pool and extract rewards as though they had participated from inception.

The malicious actor staked approximately 136,000 sSUI tokens. Over the preceding 20 months, the spool index had accumulated to roughly 1.19 billion.

This discrepancy enabled the attacker to allocate themselves approximately 162 trillion reward points. Since the rewards distribution system operated on a one-to-one exchange ratio, the entire balance of 150,000 SUI was extracted in a single blockchain transaction.

Blockchain records show the transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL documenting the on-chain withdrawal.

Following the theft, the stolen assets were rapidly transferred through a privacy-focused mixing protocol on Sui, comparable to Tornado Cash, significantly complicating recovery efforts.

Team Response and Service Restoration

Scallop’s development team acted swiftly to freeze the compromised contract within minutes of detecting the exploit. Importantly, the core lending and borrowing infrastructure was not suspended. Customer deposits across all other Scallop markets remained fully protected.

The protocol’s leadership confirmed they would absorb 100% of the financial loss using treasury reserves. No reduction in user yield rates will occur as a result of this incident.

By 14:42 UTC, Scallop had reactivated the primary contracts. Standard withdrawal and deposit functionality was restored to normal operation in less than two hours from the initial breach.

Subsequently, the attacker initiated contact with the development team, proposing to return 80% of the stolen funds in exchange for recognition as a white-hat hacker with an associated bounty. The team is currently examining how this vulnerability evaded detection during previous security audits conducted by OtterSec and MoveBit.

DeFi Losses Continue Mounting in April 2026

This security breach comes on the heels of a comparable exploit targeting Volo Protocol earlier this month, which resulted in approximately $3.5 million in losses. Both incidents exploited peripheral contract infrastructure rather than core protocol mechanisms.

April 2026 has witnessed over $600 million in cryptocurrency thefts across 12 significant security incidents. By mid-April, cumulative losses for the month had surpassed $750 million.

Kelp DAO and Drift Protocol together represented approximately 95% of April’s total losses. The Kelp attack independently generated $177 million in bad debt on the Aave lending platform.

Scallop’s team has yet to release a comprehensive post-incident analysis. They have announced plans for an exhaustive security review of all remaining legacy contract packages.

As of this publication, neither the Sui Foundation nor Mysten Labs has issued an official statement regarding the security incident.

The post Scallop Protocol Suffers $142K Security Breach on Sui Blockchain appeared first on Blockonomi.