Scallop (deprecated V2) Postmortem

Scallop Deprecated V2 Contract Exploit — April 26, 2026 Post-Mortem (Aggregated)

The Incident

On April 26, 2026, Scallop — Sui's largest lending protocol — was the target of an exploit that drained roughly 150,000 SUI (~$142,000) from its sSUI rewards pool. The Scallop team made the breach public at 12:50 UTC through an announcement on X. Core contracts were reactivated by 14:42 UTC, less than two hours after the initial incident, and user deposits in the live protocol were not impacted.

How the Attack Worked

The attacker targeted a deprecated V2 contract deployed in November 2023, which remained accessible on-chain due to Sui's immutable package design. In the old V2 package, newly created spool accounts were never properly initialized — the last_index field was always zero. By staking 136,000 sSUI into one of these uninitialized spool accounts, the attacker manipulated the system's reward verification logic to receive massively inflated rewards.

The Core Technical Issue

The differential between the (zero) initialized index and the current global reward index allowed the attacker to allocate themselves approximately 162 trillion reward points. The rewards mechanism converted these points at parity, enabling the complete extraction of 150,000 SUI from the side pool through a single transaction.

The vulnerability had lurked for 17 months in the deprecated contract before being discovered and exploited. Sui's immutable package model means deprecated contracts cannot be removed; they can only be made unreachable from front-end paths. If on-chain references persist (via direct contract calls or alternate routers), deprecated code remains attackable.

Response

Scallop paused and then reactivated the live (V3+) contracts. The attacker reportedly offered to return 80% of the funds in exchange for a bounty (the standard "white-hat" framing), though Scallop had not confirmed an agreement at time of reporting. Scallop's team treated this as a side-pool / rewards-mechanism issue rather than a core lending protocol breach.

Notes on Discrepancy

Some outlets reported the loss as $270K (TronWeekly) vs $142K (CryptoTimes / MoneyCheck) vs ~150K SUI directly. The variance is mostly due to SUI price fluctuations between the exploit timestamp and the reporting timestamp; ~150K SUI is the consistent on-chain figure.