Scallop Loses $142K After Flash Loan Drains sSUI Rewards
An attacker used a flash loan to exploit an uninitialized variable in a deprecated sSUI rewards contract on Sui, draining about 150,000 SUI (roughly $142,000) on April 26, 2026.
On April 26, 2026, Scallop Protocol lost roughly $142,000 after an attacker exploited a deprecated sSUI rewards contract on the Sui blockchain and drained about 150,000 SUI from a rewards pool.
The actor used a flash loan and manipulated custom oracle price feeds to distort SUI/USDC rates, borrowed assets at the distorted prices and completed the transactions within a single block, repaying the flash loan before the block closed.
The technical flaw lay in an older V2 rewards contract tied to Scallop’s sSUI spool that remained callable on-chain since November 2023. The contract never initialized a variable named “last_index” for new accounts. Because the reward index had grown over time, the uninitialized value allowed the attacker to claim rewards as if they had been participating in the pool since its inception.
On-chain data shows the attacker staked about 136,000 sSUI and was credited with roughly 162 trillion reward points. The rewards pool used a 1:1 conversion for points to SUI, which in practice converted the points to about 162,000 SUI; the pool held around 150,000 SUI and those funds were fully withdrawn during the exploit.
Scallop temporarily paused protocol operations after detecting the activity and later resumed core contracts after confirming the issue was limited to the deprecated rewards contract. Core protocol deposits were not affected and withdrawals and deposits returned to normal operation.
On-chain traces indicate the stolen funds were quickly routed through a mixing service on Sui, which complicates recovery. The attacker contacted Scallop after the incident and offered to return 80% of the funds in exchange for a white-hat bounty; that offer and the incident remain under investigation.
Scallop intends to review prior audit reports and interactions with auditing firms to determine why the deprecated contract’s flaw was not identified earlier and will take steps to prevent callable legacy contracts from being exploited. At the time of the exploit, SUI traded near $0.94 with 24-hour volume around $187 million.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Articles by this author
