Scallop SUI exploit: 150K SUI drained, core pools safe

Published: 2026-04-28 06:18:35 |

Scallop SUI exploit contained after ~150,098 SUI was drained from a Sui rewards pool. The issue was traced to a legacy “V2” contract path in a peripheral staking/rewards module—not core infrastructure. Key details: the attacker sent ~150K SUI to a single account, exploiting a bug where an old contract failed to set the user’s last_index at staking start. With the spool index around 1.19B, the attacker’s ~136K sSUI position multiplied rewards instantly, inflating payouts to roughly 150K SUI. Response and market signals: the Scallop team froze the affected contract layer and restored operations quickly. Core pools remained intact, and deposits/withdrawals reportedly continued normally. TVL held near $22.37M, suggesting no immediate panic-driven outflows. Trader takeaway: the Scallop SUI exploit highlights how peripheral contracts can expand the attack surface even when core logic is safe. While coverage of 100% of losses supports confidence, traders may remain cautious short-term; long-term trust will depend on whether TVL and user flows stay stable as auditors and users reassess protocol risk.

Neutral

The Scallop SUI exploit looks contained: losses were limited to a peripheral rewards module, the team froze the contract and resumed operations, and TVL held near $22.37M. That combination usually reduces systemic contagion risk, so broad market impact is less likely. However, it also reinforces a recurring DeFi pattern: when legacy or deprecated code paths exist, attackers can still monetize accounting/indexing bugs. Similar incidents in liquid staking and rewards contracts often cause short-term drawdowns in sentiment (slower deposits, higher scrutiny) even when funds are later returned or losses are covered. Longer term, stability in TVL and uninterrupted withdrawals typically restores confidence. Net effect: neutral for the wider crypto market. For SUI/Scallop-adjacent DeFi users, there may be tactical caution (watch TVL trends, contract upgrades, and user inflow/outflow) rather than an immediate bearish repricing.