Scallop suffered a flash loan attack on Sunday after an exploiter drained about $142,000 from an outdated rewards contract linked to its sSUI pool.
The incident involved roughly 150,000 SUI and appeared to rely on oracle manipulation and an uninitialized reward variable. Scallop said its core protocol stayed secure, user deposits remained safe, and the loss stayed limited to an isolated contract.
Deprecated Contract Exposes Hidden Risk
Scallop’s exploit did not target its main lending system or current protocol code. Instead, the attacker interacted with an older V2 contract from November 2023 that remained callable on-chain despite being deprecated. Sui’s immutable package design allows deployed contract versions to stay accessible, which turned abandoned code into an overlooked attack surface.
Security analysts said the contract contained a subtle but serious flaw. When a new account was added to the rewards pool, the variable named last_index was not initialized. That gap allowed the attacker to appear eligible for rewards accumulated since the pool began.
The reward index had grown sharply over about 20 months. After staking 136,000 sSUI, the attacker received credit for 162 trillion reward points. Since the pool used a one-to-one reward exchange rate, those points converted into about 162,000 SUI. The pool held only 150,000 SUI, so the attacker drained the available balance.
Oracle Manipulation Supports Flash Loan Strategy
Analysts also pointed to the manipulation of Scallop’s custom oracle price feeds. The attacker reportedly pushed down SUI and USDC rates, borrowed assets at distorted prices, and repaid the flash loan within the same transaction. The remaining spread became the attacker’s profit.
The transaction followed a known DeFi exploit pattern, but its execution appeared highly targeted. The attacker avoided active routes and standard SDK paths, then used old code that still had on-chain access. On-chain data later showed the stolen funds moving through a Sui-based mixing service, which may complicate recovery efforts.
Scallop Resumes Operations After Review
Scallop paused activity after detecting the exploit, then later unfroze its core contracts. The team said deposits and withdrawals resumed normally and emphasized that the issue did not affect user funds. The attacker reportedly contacted Scallop and offered to return 80 percent of the funds for a white-hat bounty.
The case adds to a difficult April for DeFi security. Several major incidents this month came from old contracts, adapters, and infrastructure layers rather than core protocol systems. Reported losses across April incidents exceeded $600 million by mid-month, with Kelp DAO and Drift Protocol contributing most of the damage. Scallop’s case shows how unused code can still create live risk. It also highlights why teams must track every deployed package, not just the latest audited release.
