Scallop’s DeFi protocol on Sui suffered an exploit, after an attacker drained roughly 150,000 SUI, valued at about $142,000 to $150,000, from a deprecated rewards pool. The incident did not stem from oracle manipulation, but from legacy contract logic that remained callable on an immutable chain.
The protocol froze the affected contract within minutes and said it would reimburse losses from its treasury. Core lending operations remained intact, limiting immediate user impact, but the exploit still highlighted a persistent weakness across DeFi infrastructure: retired code can remain economically dangerous if access and reward pathways are not fully closed.
A Deprecated Rewards Contract Became the Attack Surface
The attacker used a flash loan to supply capital, then staked approximately 136,000 sSUI into Scallop’s deprecated V2 rewards contract, which had been deployed in November 2023. That contract contained an uninitialized last_index counter in its reward calculation logic.
Because the variable defaulted to zero, the contract treated the newly deposited stake as if it had been earning rewards since the pool’s inception in August 2023. That accounting error generated an inflated balance of roughly 162 trillion reward points.
The attacker then redeemed those points against the pool’s 1:1 reward-point-to-SUI conversion mechanism, draining the available 150,000 SUI. The exploit was an internal accounting failure in an outdated contract version, not a pricing attack or oracle-driven manipulation.
Scallop froze the compromised contract and restored operations within hours. The protocol also committed to covering affected balances from its treasury, a response that helped contain the financial damage but did not erase the broader governance and engineering concern.
Audits Do Not Neutralize Old Code
The incident carried an additional warning for builders and risk teams: the deprecated contract had reportedly passed a Sui Foundation audit in February 2025. That detail underscores a hard lesson for immutable platforms. A point-in-time audit can validate a contract under known assumptions, but it does not remove legacy code from the attack surface once that code remains callable.
Scallop’s loss came during a difficult month for DeFi security. April 2026 reporting grouped the incident with larger breaches, including Drift at $285 million and KelpDAO at $292 million, with total reported DeFi losses for the month around $606 million.
The Scallop exploit reinforces two operational realities. Treasury reimbursement can reduce user losses, but it cannot fully protect a protocol’s reputation. And legacy code, even when replaced in SDKs or superseded by newer contract versions, can still create live financial exposure if old reward paths remain open.
Legacy-contract exposure on immutable chains should be treated as an active risk category, not a historical footnote. Custodians, treasuries and protocol teams should pair audits with continuous monitoring, explicit version-gating and rapid incident-response procedures.
Deprecated packages should be made uncallable where possible, and reward conversion routes should be revoked once pools are retired. Scallop contained this incident quickly, but the exploit shows how old logic can become new risk when deprecation is treated as documentation rather than enforcement.