Scallop, a money market on Sui Network, lost about 150,000 SUI on Sunday after an attacker drained a deprecated rewards contract tied to the protocol’s sSUI spool.
The team froze the affected contract within minutes and pledged full reimbursement from its treasury. Core operations resumed in under two hours.
Another Sui Exploit Hits Peripheral Code, Not the Core Protocol
Scallop disclosed the incident at 12:50 UTC on April 26 through a public notice on X. The attacker targeted a side contract powering rewards for the sSUI spool. That spool is the protocol’s incentive layer for SUI depositors.
The affected contract was frozen immediately, according to the team. Core lending and borrowing pools stayed untouched. User deposits remained safe across every other Scallop market.
Two hours later, Scallop confirmed the freeze had been lifted on the core contracts. Withdrawals and deposits resumed at 14:42 UTC.
Most users on the Sui network were unaffected by the morning’s events.
“Scallop will fully cover 100% of the loss,” the money market articulated.
Stale Package Code From 2023 Sat Behind the Exploit
Independent on-chain analysis points to a deprecated V2 spool package as the entry point. Scallop published the code in November 2023, more than 17 months before the attack. On Sui, deployed packages are immutable. Old versions stay callable unless explicitly version-gated.
The bug centered on an uninitialized last_index counter, which tracks accumulated rewards for stakers. The attacker staked roughly 136,000 sSUI to exploit it.
This math treated the position as if it had existed since the spool launched in August 2023.
The spool index had grown to about 1.19 billion over 20 months. That allowed the exploiter to harvest around 162 trillion reward points. Those redeemed one-to-one for 150,000 SUI from the rewards pool.
The transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL captures the on-chain proof of the drain.
A Familiar Pattern Across Sui DeFi
The incident follows a string of Sui exploits in recent weeks. Volo Protocol lost roughly $3.5 million earlier this month in a similar peripheral incident. Each case targeted side contracts rather than core protocol logic.
It also lands one week after a major bridge incident on Ethereum, which produced roughly $292 million in unbacked liquid restaking tokens. Both attacks happened over weekends, when liquidity is thin and response times can lag.
Neither the Sui Foundation nor Mysten Labs has made a public statement on the matter.
For Scallop, however, the financial damage looks contained. The protocol confirmed it will absorb the entire loss without diluting user yields.
The team has not released a full post-mortem yet, with a prospective publishing of a complete audit of every remaining legacy package likely to shape the broader Sui DeFi response.
The deeper question is how Sui builders should manage immutable code and forgotten attack surfaces.
