Scallop, the leading lending and borrowing protocol on the Sui blockchain, has confirmed a security breach affecting a side contract related to its sSUI spool rewards pool. The incident, which occurred on April 26, 2026, resulted in the unauthorized outflow of approximately 150,000 SUI tokens, valued at around $142,000 to $525,000 depending on the source, due to a vulnerability in a deprecated V2 rewards contract from November 2023.
Incident Details
The exploit targeted an older side contract that managed rewards for the sSUI spool. The core flaw was an uninitialized variable called 'last_index,' which tracks accumulated rewards for stakers. Because this variable was never set when a new account was created, the attacker could stake around 136,000 sSUI and claim rewards as if they had been staking since the contract's inception. The spool index had grown to approximately 1.19 billion over 20 months, allowing the attacker to credit themselves with about 162 trillion reward points. The rewards pool exchanged these points at a one-to-one rate, leading to the entire pool of 150,000 SUI being drained in a single transaction (hash: 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL). The stolen funds were subsequently moved through a mixing service on Sui, similar to Tornado Cash, complicating recovery efforts.
Response and Reimbursement
Scallop's team acted rapidly, freezing the compromised contract within minutes of detecting the suspicious activity. Importantly, the protocol's core contracts, which manage primary lending and borrowing logic, remained entirely secure and unaffected. Deposits and withdrawals resumed normal operations within two hours of the incident. Demonstrating its commitment to user trust, Scallop has pledged to fully reimburse all affected users from its own treasury, ensuring no individual depositor suffers a financial loss. The protocol confirmed that no user yields will be diluted. The attacker later contacted the team and offered to return 80% of the stolen funds in exchange for a white-hat bounty.
Broader Context and Implications
This attack follows a similar exploit on Volo Protocol earlier in April, which lost around $3.5 million. Both cases targeted peripheral contracts rather than core protocol logic. April 2026 has now seen over $600 million in stolen funds across 12 major incidents, with cumulative losses exceeding $750 million by mid-April. The Scallop team is currently working with security partners to finalize the reimbursement process and has indicated plans for a complete audit of all remaining legacy packages. Neither the Sui Foundation nor Mysten Labs has made a public statement on the incident. The team is also investigating how the flaw passed earlier audits by OtterSec and MoveBit.
