Scallop Exploit Drains $142K on Sui via Deprecated Rewards Contract
LTB Scallop Protocol took a hit on Sui after a flash loan exploit drained roughly $142,000 from a deprecated rewards contract, not its core lending system. The headline here isn’t just the dollar loss — it’s how a forgotten contract path, stale accounting, and manipulated pricing feeds can still turn into a live attack surface long after a team thinks a feature is retired.
- Loss: around $142,000, or 150,000 SUI
- Target: a deprecated contract tied to the sSUI rewards pool
- Method: flash loan plus likely oracle manipulation
- Core funds: Scallop says user deposits are safe
- Big lesson: “deprecated” does not mean dead
What happened
Scallop Protocol, a lending platform on the Sui blockchain, was exploited on Sunday in what appears to have been a highly targeted DeFi attack. The attacker reportedly drained about 150,000 SUI, worth roughly $142,000, from a rewards mechanism linked to Scallop’s sSUI pool.
Scallop moved quickly to pause operations, then restored the core contracts once the damage was contained. The team says the main lending system was not compromised and that all user deposits are safe. That matters. A lot. Because while the exploit was painful, it did not rip through the protocol’s primary vaults.
Still, a hack is a hack. And in DeFi, “we only lost the side contract” is not the flex some teams think it is. Old code that remains callable on-chain can still be abused, and this incident is a perfect example of how a supposedly minor leftover can become the weakest link in the whole setup.
How the exploit worked
The attack appears to have combined a flash loan with oracle manipulation. A flash loan is a form of uncollateralized borrowing where huge amounts of crypto can be borrowed and repaid within the same transaction. If the attacker can use that temporary liquidity to distort a market price or reward calculation, they can sometimes drain value before the transaction ends.
Oracle manipulation is the other half of the trick. An oracle is a data feed that tells a smart contract what an asset is worth. If a contract trusts a manipulated price feed — for example, a SUI/USDC price — it can be tricked into overpaying rewards, accepting bad values, or miscalculating balances. In plain English: if the contract is reading a fake or distorted price, the attacker can make it hand out too much money.
In Scallop’s case, the target was not the main lending engine but a deprecated side contract tied to the sSUI rewards pool. That distinction is important. This wasn’t a straight-up smash-and-grab of the protocol’s core assets. It was more like slipping through an old service hatch that should have been locked years ago.
The flaw reportedly centered on a variable called last_index, which was never initialized for new accounts. That sounds small, but it’s the kind of bug that can wreck a system quietly. If a rewards contract assumes a user has been active for a long time when they actually haven’t, it can hand out far more than they deserve.
According to the reported breakdown, the reward index grew to 1.19 billion over 20 months. The attacker staked 136,000 sSUI and was credited with 162 trillion points. Because the pool used a 1:1 conversion rate, those points translated into about 162,000 SUI in rewards. The pool itself only held around 150,000 SUI, so it was fully drained.
That is a brutal lesson in why DeFi accounting needs to be airtight. If a rewards system lets someone behave like an early participant after the fact, the math stops being finance and starts being a buffet.
Why deprecated code is still dangerous
One of the nastier truths in blockchain systems is that old code doesn’t vanish just because a team stops using it. If it remains deployed and callable, it can still be attacked. That is especially true on chains and frameworks where contract versions or legacy modules stay accessible unless they are explicitly isolated or disabled.
Sui’s design makes this lesson especially relevant. Immutable systems are great for transparency and user verification, but immutability cuts both ways. If a stale contract path is still reachable, it can sit there quietly like a loaded trapdoor. No drama. No warnings. Just a future exploit waiting for someone to poke it.
That’s why “deprecated” is not the same thing as “safe.” It just means “we stopped paying attention,” which is exactly the kind of sentence attackers love to hear.
Scallop’s response
Scallop said the core protocol was not impacted and emphasized that user deposits remain safe. The team temporarily froze operations, then unfroze the main contracts and resumed deposits and withdrawals after the incident was contained.
That response likely helped prevent a wider panic. It also highlights a recurring tension in DeFi: systems marketed as decentralized often rely on rapid human intervention when things go sideways. That’s not necessarily bad — in fact, it can protect users — but it does mean the “trustless” slogan needs a little less incense and a little more honesty.
The attacker reportedly offered to return 80% of the funds in exchange for a white-hat bounty. That’s the usual post-hack theater: steal the funds, then try to rebrand yourself as a negotiator. Hard pass.
Stolen funds were quickly routed through a mixing service, which makes recovery much harder. Mixers can serve legitimate privacy use cases, but they’re also a favorite tool for thieves looking to break the trail. Once the money is mixed, clawing it back becomes a lot more difficult.
Did audits miss it?
Scallop now says it will review how the flaw made it past audits by OtterSec and MoveBit. That question is where the real accountability starts.
Audits are supposed to catch hidden logic bugs, unsafe assumptions, and odd edge cases before they become expensive public humiliations. If a deprecated contract remained callable and its reward logic could be gamed, then the obvious follow-up is whether that code was in scope, whether it was considered “dead” but still reachable, or whether the issue was introduced after the audit window.
This is where a lot of DeFi projects get slippery. They’ll trumpet an audit badge like it’s a divine shield, but audits are not magic. They are snapshots. They can reduce risk, not erase it. And if a protocol keeps old modules around, those old modules deserve the same paranoia as the shiny new ones.
The wider DeFi security mess
This exploit lands in a broader period of ugly losses across crypto security. April 2026 has reportedly seen more than $600 million stolen across 12 major incidents, with cumulative losses passing $750 million by mid-April. Kelp DAO and Drift Protocol were said to account for roughly 95% of April’s losses, while Aave reportedly absorbed $177 million in bad debt tied to the Kelp incident. In another incident, the Arbitrum Security Council froze 30,766 ETH, worth about $71 million, from stolen funds.
The takeaway is not that every protocol is doomed. It’s that many of the biggest losses don’t come from some cinematic attack on a flagship vault. They come from neglected edges: reward pools, adapters, stale assumptions, or side contracts left sitting around like junk in the garage. That’s where the rot tends to live.
And yes, the “decentralized finance” pitch sounds a lot less glamorous when the real threat is a forgotten rewards variable and a price feed that can be bent. But that’s the actual battlefield. Not whitepapers, not keynote slides, not the breathless “next trillion-dollar market” nonsense. Code. Accounting. Incentives. Attack surfaces.
What this means for Sui and Scallop
The market didn’t exactly implode on the news. SUI was reportedly up nearly 2% over 24 hours, trading around $0.94 with $187 million in volume. That doesn’t mean the exploit was meaningless; it suggests the market saw it as contained rather than existential.
That’s an important distinction. A contained exploit still hurts, still exposes bad design, and still needs a serious postmortem. But if the core protocol stayed intact and deposits remained safe, traders may decide the network itself wasn’t damaged in a way that justifies a broader selloff.
Even so, confidence in DeFi is built on boring things: clean accounting, disciplined contract management, and not leaving old attack surfaces lying around for years. The moment a rewards pool or helper contract becomes “legacy,” someone needs to treat it like an active risk, not digital archaeology.
Key takeaways
- What caused the Scallop exploit?
A deprecated rewards contract was exploited, likely through oracle manipulation and an uninitializedlast_indexvariable. - Were user deposits stolen?
Scallop says no. The core lending system was not compromised, and user deposits remain safe. - How did the attacker make money?
A flash loan provided temporary capital to distort pricing and reward calculations, letting the attacker drain the pool in one transaction. - Why was the exploit possible?
Old contract code was still callable, and the rewards logic appears to have been vulnerable to abuse. - Can the stolen funds be recovered?
Recovery looks difficult because the funds were moved through a mixing service. - Did audits catch the bug?
Scallop says it will investigate how the flaw passed audits from OtterSec and MoveBit. - What does this say about DeFi security?
Deprecated code can still be a live attack surface, and side contracts can be just as dangerous as core systems. - Did SUI price collapse?
No. SUI was reportedly up nearly 2% and trading with solid volume, suggesting the market viewed the exploit as isolated.
Important quotes
“Scallop Protocol got hit by a flash loan exploit on Sunday.”
“The attacker reportedly drained around $142,000 (150,000 SUI) in what appears to be a highly targeted oracle manipulation attack.”
“This one didn’t touch the protocol’s core contracts but exposed a deeper design flaw.”
“All user deposits are safe.”
“The flaw itself was subtle but severe.”
“The attacker staked 136K sSUI and got credited with 162 trillion points.”
“This makes the recovery even more difficult.”
“April 2026 alone has accounted for over $600 million in stolen funds across 12 major incidents.”