Scallop confirms targeted exploit: 150,000 SUI tokens withdrawn from sSUI reward pool.
Sui-based DeFi protocol Scallop confirmed that it was the target of an exploit that drained nearly 150,000 SUI from its sSUI reward pool while exposing a decades-old bug lurking inside a deprecated smart contract.
According to the protocol’s official statement, they note that the attacker has disturbed the entire active code base and standard SDK interfaces. Instead, they recalled a discarded V2 bundle version dating back to November 2023, which was still attached to the series but had remained unused for several months.
Obtaining this level of accuracy has received a great deal of interest throughout the ecosystem. This exploit indicates either deep reverse engineering or someone with significant knowledge of the contract structure.
Notably, the vulnerability remained undetected for approximately 17 months as the ecosystem migrated to new contract versions. Scallop took to Twitter to confirm the incident and said that so far users are safe since immediate containment measures were implemented.
🚨 Security incident notification
We have identified an exploit affecting a side contract related to Scallop’s sSUI cache bounty pool, resulting in a loss of approximately 150K SUI.
The affected nodes have been frozen. Our core contracts remain secure and are limited only to the sSUI pool of rewards…
– Scallop (@Scallop_io) April 26, 2026
Exploiting a flawed reward calculation mechanism
The exploit shows a serious flaw in the logic of calculating the reward for the deprecated contract. It uses what is called a “caching index”, which is an ever-increasing value that represents the total rewards accumulated in that pool over time.
During normal operation, each user account maintains a recent index when shared. Rewards are calculated based on the difference between the indicator at the moment and the stored value, so no user can earn rewards before they start staking.
However, in the old V2 package, newly created cache accounts were not initialized; last_index was always zero. This error provided a major loophole.
Depleting the pool results in a massive bounce of points
The consequences of this mistake were immediate and severe. The cache index rose to nearly 1.19 billion over about 20 months. The attacker was rewarded with an inflated amount of 162 trillion reward points, equal to 136,000 sSUI.
To exacerbate this, the reward pool conversion ratio is 1:1 so that every reward point is converted directly into SUI tokens. This enabled the attacker to seamlessly convert points obtained via artificial inflation into real assets.
This exploit emptied the bounty pool, which contained around 150,000 SUIs at the time. Although the attacker’s logical rewards were far in excess of the pool’s balance, only the available liquidity was extracted.
Scallop was drained for 150k SUI by someone who knew exactly which abandoned package to contact. Not the active code. Not the SDK path. Old V2 engine dating back to November 2023 and no one has used it for months. Either deep reverse engineering, or someone who knows where to look. The error was… pic.twitter.com/jsPE9OCsNJ
— Vadim (Amnesty International, ⋈) (@zacodil) April 26, 2026
Immutable contracts create a permanent attack surface
This incident illustrates one of the systemic challenges that exist with packages published on the Sui ecosystem: published packages are immutable. When the smart contract runs on-chain, it cannot be deleted or modified. All versions, past and present, remain callable forever.
While Scallop redirected users to a new, more secure package through their SDK, the old V2 contract was still viewable. The cached and RewardsPool objects are shared, so the attacker was able to completely bypass the updated logic because there are no version restrictions on them.
This type of vulnerability, which has been rebranded as a “legacy stack” risk, highlights an important blind spot for many DeFi systems. Legacy contracts can be persistent attack vectors because there are no explicit version checks hidden in the shared objects.
Broader non-fundamental weakness patterns are afoot
The Scallop exploit is an event, not an unending consequence of a larger trend that has continued throughout April. Multiple recent attacks do not stem from the protocol’s core logic, but rather from peripheral or overlooked aspects. Vulnerabilities in KelpDAO’s RPC infrastructure, Litecoin’s privacy layer (MWEB) and access control bugs in Aethir’s switch systems are just some examples.
In all cases, the source was outside the main contract and in other secondary or legacy units. The use of such a pattern is an indicator that opponents have changed their tactics. Hackers spend less time on core contracts that are highly audited, and much more time attacking ecosystem fringes that have very weak oversight of their surroundings. This requires a paradigm shift for developers and auditors. Simply securing new deployments is not enough; all historical contracts, integration points, and infrastructure components must be treated as an active threat surface.
Full compensation and system restoration by Scallop
Scallop used a quick and decisive approach in responding to the vulnerability. The attacked contract was immediately frozen in the aftermath, meaning that only one reward pool was compromised due to this exploit.
The group confirmed that the underlying contracts remain secure and no user deposits have been compromised. Other pools remain unchanged and the main functions of the protocol are activated once unfrozen unaffected chunks.
It is worth noting that Scallop pledged to compensate 100 percent of the losses that occurred as a result of the exploitation. This pledge shows responsibility in fixing potential unexpected vulnerabilities and aims to restore user trust.
Deposits and withdrawals have resumed, indicating that system stability has been restored.
Lessons from the world of DeFi security
The scallop incident embodies a key lesson for the DeFi ecosystem as a whole. If implemented in an immutable smart contract environment, security will never be an issue to forget.
Any version of your published contract is part of the live system. Even inactive code can pose a single point of failure months or years later, if proper safeguards are easily bypassed.
Going forward, the ecosystem needs to adopt more stringent version control practices, constantly monitor legacy contracts and expand audit scopes to cover all previous deployments. As the exploit shows, attackers are willing to delve into the protocol’s history to find vulnerabilities they can exploit.
Ultimately, DeFi will become as durable as the protocols that can adapt to this changing threat landscape.
Disclosure: This is not trading or investment advice. Always do your research before purchasing any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash To stay up to date on the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
