Scallop froze contracts after a hacker drained 150K SUI from a deprecated sSUI rewards pool. Core funds stayed safe. The protocol pledged a full refund.
The contracts went cold before most users noticed anything was wrong.
Scallop, a lending protocol on the Sui blockchain, announced a security incident after an attacker drained roughly 150,000 SUI from a side contract tied to its sSUI spool rewards pool. The protocol confirmed the breach on X, stating the affected contract had been frozen immediately. Core contracts, the team said, were not touched.
One Old Contract. Real Money Gone.
The exploit targeted what Scallop later described as a deprecated rewards contract. Not the main protocol. Not user deposit vaults. A leftover piece of infrastructure that, apparently, still held value.
According to @Scallop_io on X, the affected contract was frozen as soon as the incident was identified. The team confirmed only the sSUI rewards pool took the hit. All other pools remained operational throughout.
The scale of the loss sits at approximately 150K SUI. At current market prices that figure is not trivial.
Protocol Back Online, But Questions Linger
Hours after the initial freeze, Scallop posted an update. As @Scallop_io tweeted on X, core contracts were unfrozen and all operations resumed. Withdrawals and deposits came back online. The team clarified the issue had no connection to the core protocol and was confined entirely to the deprecated rewards contract.
User deposits, per the announcement, were never at risk. The team added it would share further technical details as the investigation continued.
Scallop pledged to cover one hundred percent of the loss. No partial reimbursement. The full amount.
A Pattern That Keeps Repeating on Sui
This is not the first time a Sui-based DeFi protocol has frozen operations after an exploit. Just days earlier, Volo Protocol lost $3.5 million in a separate breach, with three vaults drained before the team could act. Losses across DeFi platforms in April have exceeded $600 million by some estimates.
The Scallop incident fits a pattern that security researchers have flagged repeatedly. Deprecated contracts that retain balance but lose active monitoring. The attacker, in this case, found exactly that.
Scallop said it would continue monitoring the protocol and strengthen it going forward. Per the X post, no further anomalies had been detected at the time of writing.
