Scallop Protocol was hit by a flash loan exploit on Sunday. The attacker reportedly drained about $142,000 (150,000 SUIs) in what appears to be a highly targeted oracle tampering attack. This did not touch the core contract of the protocol but revealed a deeper flaw in the design.
An attacker reportedly exploited a deprecated sidecontract linked to Scallop’s sSUI bounty pool. Their team urges that the underlying protocol remains intact and that all user deposits are safe. However, the loss was completely contained in that isolated portion.
Old code or Oracle defect?
Analysts suggest that the primary problem was the manipulation of oracle price feeds assigned to Scallop. This allowed the attacker to artificially lower SUI/USDC prices and borrow assets at those distorted prices. And then pay off Flash loan Within the same deal. In the end, the suspect walked away with a difference.
This follows a familiar DeFi attack pattern; However, the execution at this event was extraordinarily precise. The attacker did not target active code or standard SDK paths. They interacted with the older V2 contract as of November 2023. This was a version that was deprecated but remained callable on-chain. Sui keeps all published versions of contracts immutable and accessible. That’s why this old package became a hidden attack surface.
About prices He did not receive a hit after the exploit. It is up nearly 2% in the past 24 hours. Sui is trading at $0.94 at press time. The 24-hour trading volume is about $187 million.
Expert in A mail He reported that the defect itself was subtle but severe. In deprecated nodes, the key variable “last_index” is never initialized when creating a new account. This allowed the attacker to claim the rewards as if they had been signed from the beginning of the pool.
As the bounty index grew over time, the attacker passed on giving himself the entire bounty pool in a single transaction. He stated that the Spool Index rose to 1.19 billion over 20 months.
The attacker bet 136 thousand sSUI and got 162 trillion points. However, the rewards exchange rate was 1:1 (numerator and denominator = 1), so 162TB of points were converted directly into rewards worth 162K SUI. The pool only had 150,000 SUI’s in it and they were all drained.
On-chain data shows that the stolen funds were quickly routed through a mixing service, similar to Sui’s Tornado Cash service. This makes recovery more difficult.
Scallop is back online after hack
The Scallop team responded by temporarily halting operations. It was then reported that they had unfrozen the core contracts and all operations had resumed. X’s post highlighted that the issue was not related to the underlying protocol and was isolated to a deprecated bounty contract. In the end, tser deposits were not affected and all funds remained safe. Withdrawals and deposits are now working normally.
🚨 Scallops exposed to flash loan scam on Sui, loses $142,000 in oracle tampering attack
Details 👇
What happened?
> On April 26, 2026, the Scallop Lending Protocol experienced a flash loan vulnerability targeting a deprecated side contract related to its sSUI cache reward pool
>… pic.twitter.com/xoZbLzGCf0
– Sophia Hodlberg (@sophiaHodlberg) April 26, 2026
The striker reportedly contacted the team and offered to return 80% of the money for the white cap bonus. The incident is now being investigated. The team will check how the bug passed previous audits conducted by companies such as OtterSec and MoveBit.
Cryptopolitan I mentioned Many of the major incidents in April 2026 did not come from the logic of the underlying protocol. They arise from legacy contracts, switches, or layers of infrastructure that are still accessible but ignored. Cumulative losses exceeded $750 million by mid-April. April 2026 alone accounted for more than $600 million in funds stolen across 12 major incidents.
Kelp DAO and Drift Protocol together contributed to about 95% of April’s losses. The attack on Kelp resulted in $177 million in bad debt on Aave. Meanwhile, Arbitrum’s security board successfully frozen 30,766 ETH (about $71 million) of the stolen funds.
Hyperliquid remains the largest token in the DeFi category. HYPE price is up 10% in the last 30 days. It is trading at $41.95 at press time. Chainlink stands at the second stop. LINK was trading at around $9.4.
