A Scallop exploit on April 26 drained approximately 150,000 SUI from the protocol’s sSUI rewards pool. The attacker did not touch Scallop’s active code. Not the live SDK. An old V2 contract from November 2023, sitting dormant for months, was the entry point.

Scallop confirmed the incident through a security notice posted on X, stating the affected contract had been frozen and that core contracts remained safe. The team pledged to cover 100% of the loss from its own treasury. No user deposits were touched.

The Bug Nobody Noticed for 17 Months

The mechanics are straightforward once laid out. Blockchain researcher Vadim, posting as @zacodil on X, broke down exactly how it worked. Each staker account is supposed to record a last_index value at the moment of staking. Rewards then calculate as stake multiplied by the difference between the current index and that stored value.

The deprecated V2 package never initialized last_index. It defaulted to zero. So when an attacker staked 136,000 sSUI through the old contract, the system computed rewards using the full 20-month historical index, which had grown to 1.19 billion. That produced 162 trillion reward points instantly.

“Scallop drained for 150K SUI by someone who knew exactly which deprecated package to call. Not the active code. Not the SDK path. An old V2 from November 2023 that nobody’s used in months. Either deep reverse engineering, or someone who knew where to look.”

The rewards pool ran a 1:1 exchange rate. 162 trillion points converted to approximately 162,000 SUI worth of rewards. The pool held 150,000 SUI. All of it went. The on-chain transaction is recorded at hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL.

Why the Old Contract Was Still Reachable

Sui packages are immutable. Once a contract deploys on the network, no one can delete it. Every version ever published stays callable on-chain. Scallop had moved users to a newer package through its SDK, which fixed the last_index sync issue. But the shared Spool and RewardsPool objects accepted calls from any version of the package, old or new.

The attacker bypassed the SDK entirely and called the old V2 path directly.

@malshaalan raised the structural problem on X, pointing out that on chains where old packages cannot be deleted, every upgrade actually expands the attack surface rather than shrinking it. The fix, as Vadim noted, requires version fields on shared objects and explicit version checks inside every function. Without those checks, prior versions remain live weapons.

Scallop had completed a full audit by the Sui Foundation in February 2025. Two months before this exploit. The deprecated contract fell outside that audit’s scope.

Operations Restored, Full Post-Mortem Pending

Scallop posted an incident update on X confirming core contracts had been unfrozen and all operations resumed. Withdrawals and deposits returned to normal. The team stated the issue was isolated entirely to the deprecated rewards contract and bore no relation to the core protocol.

“The issue was not related to the core protocol and was isolated to a deprecated rewards contract. User deposits were not impacted and all funds remain safe.”

A full post-mortem has not been released yet. Scallop said further details are coming.

The Scallop exploit sits inside a broader pattern Vadim identified across April 2026. Most breaches this month hit peripheral code, not core protocol logic. KelpDAO lost funds through RPC infrastructure. Litecoin’s MWEB privacy layer was the vector in that incident. Aethir’s breach came through access control on a peripheral adapter. Scallop through a forgotten package version.

The audit perimeter, according to Vadim’s post, has to cover every contract ever shipped. Not just whatever version is currently deployed.