Scallop on Sui hit by flash loan + oracle manipulation, $142K drained

Scallop Protocol on Sui was exploited in a flash loan attack that reportedly cost around $142,000 (150,000 SUI). The attacker combined flash-loan borrowing with an oracle price manipulation to depress SUI/USDC rates, borrow at distorted prices, and repay within the same transaction—keeping the price difference. Key detail: the exploit did not break the protocol’s core contracts. Instead, it targeted a deprecated side contract tied to the sSUI rewards pool. Analysts point to an uninitialized variable (“last_index”) in the older V2 contract (left callable on-chain). When a new account was created, the attacker could claim rewards as if they had been staking since the pool’s start. With the spool index growing to ~1.19B over ~20 months, the attacker’s credits mapped 1:1 to available rewards—draining the pool’s ~150K SUI. On-chain traces indicate the stolen funds were quickly routed through a mixing service similar to Tornado Cash on Sui, complicating recovery. Scallop temporarily paused operations, then unfroze core contracts and resumed deposits/withdrawals, stating user deposits remain safe and the incident is contained to the isolated deprecated rewards contract. Market reaction: the article notes SUI price was not significantly impacted at the time of reporting (up ~2% on the day), with SUI trading around $0.94.