Sui Network decentralized lending protocol Scallop, on April 26 (Sunday), released an official announcement via the X platform confirming that it suffered a vulnerability attack. The attacker extracted about 150,000 SUI from a discarded rewards contract associated with the sSUI spool. According to the official statement, the core liquidity pool and user deposits were not affected. The protocol has resumed deposits and withdrawals, and it confirms it will fully compensate all losses with company funds.
Event timeline and Scallop’s official response
According to Scallop’s official X platform announcement (April 26 at 12:50 UTC), the attack target was an affiliated incentive contract for the sSUI spool. This contract is the incentive layer for SUI depositors and is not the core lending logic. Within minutes after the incident, the Scallop team froze the affected contracts. The core contracts were frozen until they were unfrozen within two hours, and withdrawals and deposits resumed at 14:42 UTC.
Scallop’s official statement says: “Scallop will fully make up 100% of the losses.”
Vulnerability technical analysis: the uninitialized counter in the 2023 abandoned package
(Source: Vadim)
According to independent on-chain analysis, the attack entry point was the discarded V2 spool package deployed by Scallop in November 2023, more than 17 months before this attack occurred. Under Sui Network’s technical architecture, deployed packages cannot be changed; unless version control is explicitly set, old versions can still be called.
The attacker identified an uninitialized last_index counter in the package. This counter is used to track the accumulated rewards of stakers. The attacker staked about 136,000 sSUI; the system treated this position as one that had been in existence since the spool started in August 2023. After about 20 months of exponential accumulation, the spool index grew to about 1.19 billion, enabling the attacker to obtain about 162 trillion reward points, which they exchanged for 150,000 SUI in a 1:1 ratio.
The on-chain transaction record can be looked up by hash: 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL
Recent DeFi vulnerability incident records on Sui
According to public reports, in early April 2026, the Volo Protocol on Sui Network suffered a similar attack. The attack target was also an affiliated contract rather than core protocol logic, with losses of about $3.5 million. In addition, about a week before that attack, an Ethereum network bridge attack occurred in which about $292 million in unsecured liquidity re-staking tokens were stolen.
As of the time this report was published, both the Sui Foundation and Mysten Labs had not issued any public statements regarding the Scallop incident. According to Scallop’s official explanation, the protocol plans to conduct a comprehensive audit of all existing old-version packages; the audit timeline is yet to be determined.
FAQ
When did this vulnerability attack occur, and what was the scale of the losses?
According to Scallop’s official X platform announcement, the attack took place on April 26, 2026 (Sunday) at 12:50 UTC. The attacker extracted about 150,000 SUI from the abandoned sSUI spool incentive contract. The core lending liquidity pool and user deposits in other markets were not affected.
What official commitments did Scallop make regarding this attack?
According to Scallop’s official statement, the protocol froze the affected contracts within minutes after the attack and restored full operational functionality at 14:42 UTC (about two hours after the announcement was published). Scallop confirmed it would fully compensate all losses with company funds, that user earnings would not be affected, and that it plans to conduct a comprehensive audit of all existing old-version packages.
What was the root technical cause of this vulnerability, and how is it related to Sui Network’s technical architecture?
According to independent on-chain analysis, the vulnerability stemmed from an uninitialized last_index counter in a discarded V2 spool package deployed in November 2023. On Sui Network, deployed packages are immutable; unless version control is explicitly set, old versions can still be called. This allowed the attacker to exploit abandoned code from more than 17 months earlier to extract 150,000 SUI.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
B.AI Upgrades Infrastructure, Launches Major Skills Features
Gate News message, April 27 — B.AI announced multiple product and ecosystem advancements this week. The BAIclaw landing page received a complete visual and interaction overhaul, with website multilingual support expanded to 10 languages, strengthening its global usability.
On the infrastructure
GateNews54m ago
JUST Releases Q1 2026 Results: $60M in Token Buybacks, JustLend DAO TVL Hits $6.91B
Gate News message, April 27 — JUST has released its Q1 2026 financial results, showing strong growth across key metrics. The project burned 1.356 billion JST tokens (13.70% of total supply) through cumulative buybacks worth $60.03 million, driving significant deflationary pressure.
JustLend DAO's t
GateNews54m ago
AI Agents Drive Crypto Payments Demand, x402 Processes 165M Transactions
Gate News message, April 27 — Jesse Pollak, an executive at a major CEX, has argued that autonomous AI agents are creating a new "demand center" for crypto payments, requiring software-native payment infrastructure. On April 20, it was announced that the x402 ecosystem had processed more than 165
GateNews2h ago
Developer Proposes Bitcoin Hard Fork to eCash With 1:1 Distribution, Sparks Debate Over Satoshi Address Allocation
Gate News message, April 27 — Developer Paul Sztorc has proposed a Bitcoin hard fork scheduled for August 2026 at block height 964,000 to create a new blockchain called eCash, according to CoinDesk. The fork will distribute eCash to users holding BTC at a 1:1 ratio and introduce Drivechains
GateNews2h ago
Western Union Remittance Q1 earnings call confirms: USDPT stablecoin launches in early May
According to remarks made by Western Union President and CEO Devin McGranahan during the company’s first-quarter earnings call on April 24, Western Union confirmed that its USDPT stablecoin is currently in the final preparation stage and is expected to go live in May.
MarketWhisper3h ago
Justin Sun calls TRON the world’s first post-quantum attack-resistant network, with the mainnet going live in Q3 of 2026.
TRON founder Justin Sun announced on X on April 26 that TRON plans to enable anti-quantum attack functionality on the testnet in the second quarter, with a mainnet launch planned for the third quarter. In the post, Justin Sun referred to this upgrade plan as “the world’s first anti-quantum attack network.” Although quantum threats are still largely theoretical for now, Ethereum, Solana, and others have already published post-quantum cryptography (PQC) upgrade plans or timelines.
MarketWhisper3h ago
