A security incident recently disrupted the Scallop’s Sui (SUI) rewards pool. But fortunately, the damage was limited to a narrow contractual layer. The exploit drained approximately 150,000 SUI, which exposed a vulnerability in a secondary module rather than the core infrastructure.
As this unfolded, the team froze the affected contract, limiting further losses and stabilizing user exposure. Core pools remained intact, underscoring how effectively the protocol’s modular design insulates risk. This response also reduced the risk of a broader liquidity shock across the ecosystem.
More importantly, the event highlighted how peripheral contracts can introduce hidden risks. Scallop’s decision to cover 100% of losses helped restore confidence, while continued caution could influence short-term user activity and confidence dynamics.
Old contract bug resulted in 150,000 SUI leak
The exploit took place via a sloppy contract route, showing that the attacker knew exactly where to strike. The transaction involved approximately 150,098 SUI transferred to a single account, confirming that the pool had been emptied.
This happened because an old V2 contract did not set the user’s last_index when staking. As a result, the system calculated rewards from the start rather than from the start of staking.
As the spool index reached around 1.19 billion, the attacker’s stake of 136,000 sSUI multiplied instantly. This inflated the rewards to around 150,000 SUI, which were then transferred to a single wallet.
Even though base contracts remained secure, this event demonstrated how forgotten code paths can create hidden risks, affecting user trust in the short term.
Post-exploit stability as long as user trust remains
Following the exploit, Scallop restored operations, signaling a controlled recovery rather than a systemic failure. Base contracts were resumed as the issue remained limited to an outdated rewards module.
This confinement reassured users, especially as deposits remained secure and withdrawals continued normally. As a result, the TVL held nearly $22.37 million – a sign that there are no immediate panic-driven capital outflows. This stability suggests that users recognized the limited scope of the violation.
However, this response also highlighted a deeper problem, one where edge modules extend the attack surface beyond the core logic being audited. Even if confidence is maintained for the moment, its maintenance will depend on the continued stability of flows. If TVL remains stable or increases, confidence will build, while delayed fund outflows could still emerge as users reassess the protocol’s risks.
Final summary
- Scallop’s Sui (SUI) exploit was contained after a loss of 150,000 SUI exposed existing contractual risks without disrupting core liquidity.
- Scallop’s TVL has held strong at nearly $22.37 million, but lasting confidence will depend on whether users overlook edge vulnerabilities or reduce their exposure.
