DeFi Protocol Scallop on Sui Hacked: 150,000 SUI Drained from Rewards Pool
Lending platform Scallop lost approximately 150,000 SUI after hackers exploited a deprecated rewards smart contract. The team pledged to cover 100% of losses from its own funds.
What Happened
Scallop, a lending protocol built on the Sui blockchain, has fallen victim to a security exploit. Attackers identified a vulnerability in a deprecated rewards smart contract and drained approximately 150,000 SUI from the sSUI rewards pool.
The Scallop team responded promptly by temporarily freezing core contracts to conduct a thorough security review. Operations have since been fully restored.
"We have unfreezed the core contracts and all operations have resumed. The issue was not related to the core protocol and was isolated to a deprecated rewards contract. User deposits were not impacted and all funds remain safe. Withdrawals and deposits are now…" — Scallop (@Scallop_io), original post
Why This Matters
The Scallop exploit marks yet another entry in an alarming sequence of DeFi attacks in recent weeks. On April 17, liquid restaking protocol Kelp suffered a breach resulting in losses of roughly $293 million. On April 22, hackers compromised Volo and extracted $3.5 million from WBTC and USDC pools. This pattern of escalating exploits raises serious questions about the security posture of decentralized finance applications and could deter institutional capital from entering the space.
Exploit Details and Team Response
According to the development team, the exploit was confined to a peripheral rewards smart contract that was no longer actively used within the protocol's current architecture. The core lending logic and user deposits remained completely unaffected throughout the incident.
Scallop's team has committed to making all affected parties whole, pledging to reimburse 100% of the losses from the project's own reserves. An investigation into the full circumstances of the breach is ongoing, with a detailed post-mortem report expected at a later date.
Users can currently deposit and withdraw assets from the platform without any restrictions.
Current State of the Project
Scallop's total value locked (TVL) stands at $22.82 million according to DefiLlama at the time of the incident. The project's native token SCA is trading at $0.017, down 2.5% over the past 24 hours per CoinGecko data.
While the scale of losses is relatively modest compared to recent high-profile DeFi breaches, the attack highlights a persistent risk: deprecated and unused smart contract components left on-chain can serve as viable attack vectors. Even code that has been retired from active use retains its on-chain presence and potential vulnerabilities, underscoring the importance of comprehensive contract lifecycle management in DeFi protocols.
Frequently Asked Questions
How much was stolen from Scallop protocol?
Hackers drained approximately 150,000 SUI from the sSUI rewards pool by exploiting a deprecated rewards smart contract. The core protocol and user deposits were not affected.
Is Scallop safe to use after the hack?
Scallop has resumed full operations after completing a security review. Users can deposit and withdraw assets without restrictions. The team has pledged to cover 100% of losses from its own funds.
What caused the Scallop exploit on Sui?
The vulnerability was found in a deprecated rewards smart contract that was no longer actively used in the protocol's current architecture. The core lending contracts were not compromised.
What is Scallop TVL after the attack?
Scallop's total value locked stands at $22.82 million according to DefiLlama. The native SCA token is trading at $0.017, down 2.5% in 24 hours.
What other DeFi hacks happened in April 2026?
On April 17, Kelp lost approximately $293 million in a hack. On April 22, Volo was compromised with $3.5 million drained from WBTC and USDC pools.
Read also
April 2026 Sets All-Time Record for Number of Crypto Hacks
April 2026 saw a record-breaking 24 crypto hacks resulting in approximately $651 million in total losses. Kelp and Drift Protocol suffered the largest exploits.
Drift Protocol Hack Victims File Class Action Lawsuit Against Circle Over $230M in USDC
Over 100 victims of the Drift Protocol exploit have filed a class action lawsuit against Circle in Massachusetts court, accusing the USDC issuer of negligence and enabling hackers.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
TON Wallet Introduces Yield Vaults for BTC, ETH, and USDT Directly in Telegram
TON Wallet has launched yield vaults for BTC, ETH, and USDT directly within Telegram, offering up to 18% APY on stablecoins through partnerships with Morpho, TAC, and Re7.
Weekly Recap: Aave Ecosystem Rescue Mobilizes 100,000 ETH and Quantum Computer Cracks 15-Bit ECC Key
Bitcoin held near $78,000, the DeFi community rallied over 100,000 ETH to help Aave recover from the Kelp hack, and a researcher cracked a 15-bit ECC key on a quantum computer.
Stablecoin Transfer Volume Hits $10.5 Trillion in January — Highest Since April 2022
January stablecoin transaction volume surpassed $10.5 trillion, marking the highest monthly figure since April 2022. USDC led transfers while USDT maintained market cap dominance.