Another DeFi Exploit Drains 150,000 SUI From Scallop’s Deprecated Contract
Scallop, a cash market on Sui Network, misplaced about 150,000 SUI on Sunday after an attacker drained a deprecated rewards contract tied to the protocol’s sSUI spool.
The crew froze the affected contract inside minutes and pledged full reimbursement from its treasury. Core operations resumed in beneath two hours.
Another Sui Exploit Hits Peripheral Code, Not the Core Protocol
Scallop disclosed the incident at 12:50 UTC on April 26 via a public discover on X. The attacker focused a aspect contract powering rewards for the sSUI spool. That spool is the protocol’s incentive layer for SUI depositors.
The affected contract was frozen instantly, in response to the crew. Core lending and borrowing swimming pools stayed untouched. User deposits remained protected throughout each different Scallop market.
Two hours later, Scallop confirmed the freeze had been lifted on the core contracts. Withdrawals and deposits resumed at 14:42 UTC.
Most customers on the Sui network had been unaffected by the morning’s occasions.
“Scallop will absolutely cowl 100% of the loss,” the cash market articulated.
Stale Package Code From 2023 Sat Behind the Exploit
Independent on-chain evaluation factors to a deprecated V2 spool bundle because the entry level. Scallop printed the code in November 2023, greater than 17 months earlier than the assault. On Sui, deployed packages are immutable. Old variations keep callable except explicitly version-gated.
The bug centered on an uninitialized last_index counter, which tracks accumulated rewards for stakers. The attacker staked roughly 136,000 sSUI to use it.
This math handled the place as if it had existed because the spool launched in August 2023.
The spool index had grown to about 1.19 billion over 20 months. That allowed the exploiter to reap round 162 trillion reward factors. Those redeemed one-to-one for 150,000 SUI from the rewards pool.
The transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL captures the on-chain proof of the drain.
A Familiar Pattern Across Sui DeFi
The incident follows a string of Sui exploits in current weeks. Volo Protocol misplaced roughly $3.5 million earlier this month in an identical peripheral incident. Each case focused aspect contracts moderately than core protocol logic.
It additionally lands one week after a significant bridge incident on Ethereum, which produced roughly $292 million in unbacked liquid restaking tokens. Both assaults occurred over weekends, when liquidity is skinny and response instances can lag.
Neither the Sui Foundation nor Mysten Labs has made a public assertion on the matter.
For Scallop, nevertheless, the monetary injury appears contained. The protocol confirmed it’s going to take up all the loss with out diluting person yields.
The crew has not launched a full autopsy but, with a potential publishing of an entire audit of each remaining legacy bundle prone to form the broader Sui DeFi response.
The deeper query is how Sui builders ought to handle immutable code and forgotten assault surfaces.
The put up Another DeFi Exploit Drains 150,000 SUI From Scallop’s Deprecated Contract appeared first on BeInCrypto.
