Sui DeFi lending protocol Scallop is hacked, with a vulnerability in the old contract leading to 150k SUI stolen

Sui on-chain DeFi lending protocol Scallop issued a security incident notice on its official X account (@Scallop_io), confirming that the platform was attacked. Scallop said that the team found that a side contract related to the sSUI rewards pool was exploited, resulting in a loss of about 150k SUI. Scallop emphasized that the affected contracts have been frozen, the core contract remains safe, and only the sSUI rewards pool was impacted.

In a subsequent update, Scallop further stated: “The core contract has been unfrozen, and all operations have been restored. This issue is not related to the core protocol; it is limited to a deprecated rewards contract. User deposits are not affected. All funds are safe, and the deposit and withdrawal functions have resumed normal operation.” The team promised to share more details and to continuously monitor and strengthen protocol security.

Former NEAR core member Vadim: The problem lies in an old package from 17 months ago

Regarding this incident, former NEAR core developer Vadim (@zacodil) published an in-depth technical analysis on X, revealing the details of the vulnerability. Vadim pointed out that the attacker knew exactly which deprecated package to call. "It’s not the code currently running, and it’s not the SDK path—it’s an old V2 from November 2023 that went unused for months. That means it was either deeply reverse-engineered, or someone already knew where to look. This vulnerability has been lurking for 17 months.

Vadim explained that spool tracks an index that grows as rewards are allocated. When each user account is staked, it should have recorded the last_index at that moment, so the formula for the points earned is: staked amount × (current_index − last_index); users can only earn rewards from the time they joined.

But in the deprecated V2 package, when a brand-new spool_account is created, last_index is not initialized and remains 0. Therefore, when update_points runs, the calculation result becomes: points = staked amount × (current_index − 0) = staked amount × the full historical index. The user is credited with all rewards accumulated since the spool was created in August 2023.

Vadim provided specific data: the spool index grew to 1.19 billion over 20 months. The attacker staked 136k sSUI and instantly received a credit of 162 trillion points. Because the rewards pool uses a 1:1 conversion ratio (both numerator and denominator are 1), 162 trillion points directly converts into rewards worth 162k SUI. But the rewards pool only had 150k SUI, so it was drained entirely.

All April on-chain security incidents occurred in surrounding systems

Vadim explained that normal users use the SDK to use the new package, and the new package has fixed the last_index synchronization issue. The reason the old V2 package still remains on-chain is because Sui packages are immutable. — Once published, every old version can be called forever. The shared Spool and RewardsPool objects accept calls from any version, and the attacker bypassed the SDK to directly hit the old code path.

Vadim categorized this as a “Sui outdated package type vulnerability.” He pointed out that the correct fix requires adding a version field to the shared object and adding an assert!(version == CURRENT_VERSION) check in every function. Without this mechanism, every previously published package version will forever remain an active attack surface.

Vadim further noted that most attack incidents this month did not occur in the core protocol code, but in surrounding systems:

KelpDAO: RPC infrastructure

Litecoin: MWEB privacy layer

Aethir: access control for peripheral adapters

Scallop: forgotten deprecated package

This article about the hacking of the Sui on-chain DeFi lending protocol Scallop, where a vulnerability in an old contract led to 150k SUI being stolen, first appeared on Chain News ABMedia.