Scallop, a cash market on Sui Community, misplaced about 150,000 SUI on Sunday after an attacker drained a deprecated rewards contract tied to the protocol’s sSUI spool.
The crew froze the affected contract inside minutes and pledged full reimbursement from its treasury. Core operations resumed in beneath two hours.
One other Sui Exploit Hits Peripheral Code, Not the Core Protocol
Scallop disclosed the incident at 12:50 UTC on April 26 by a public discover on X. The attacker focused a facet contract powering rewards for the sSUI spool. That spool is the protocol’s incentive layer for SUI depositors.
The affected contract was frozen instantly, in keeping with the crew. Core lending and borrowing swimming pools stayed untouched. Consumer deposits remained secure throughout each different Scallop market.
Two hours later, Scallop confirmed the freeze had been lifted on the core contracts. Withdrawals and deposits resumed at 14:42 UTC.
Most customers on the Sui community have been unaffected by the morning’s occasions.
“Scallop will totally cowl 100% of the loss,” the cash market articulated.
Stale Bundle Code From 2023 Sat Behind the Exploit
Impartial on-chain evaluation factors to a deprecated V2 spool package deal because the entry level. Scallop revealed the code in November 2023, greater than 17 months earlier than the assault. On Sui, deployed packages are immutable. Previous variations keep callable until explicitly version-gated.
The bug centered on an uninitialized last_index counter, which tracks collected rewards for stakers. The attacker staked roughly 136,000 sSUI to take advantage of it.
This math handled the place as if it had existed because the spool launched in August 2023.
The spool index had grown to about 1.19 billion over 20 months. That allowed the exploiter to reap round 162 trillion reward factors. These redeemed one-to-one for 150,000 SUI from the rewards pool.
The transaction hash 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL captures the on-chain proof of the drain.
A Acquainted Sample Throughout Sui DeFi
The incident follows a string of Sui exploits in latest weeks. Volo Protocol misplaced roughly $3.5 million earlier this month in an analogous peripheral incident. Every case focused facet contracts quite than core protocol logic.
It additionally lands one week after a significant bridge incident on Ethereum, which produced roughly $292 million in unbacked liquid restaking tokens. Each assaults occurred over weekends, when liquidity is skinny and response instances can lag.
Neither the Sui Basis nor Mysten Labs has made a public assertion on the matter.
For Scallop, nevertheless, the monetary injury appears contained. The protocol confirmed it should take up the whole loss with out diluting person yields.
The crew has not launched a full autopsy but, with a potential publishing of a whole audit of each remaining legacy package deal prone to form the broader Sui DeFi response.
The deeper query is how Sui builders ought to handle immutable code and forgotten assault surfaces.
The put up One other DeFi Exploit Drains 150,000 SUI From Scallop’s Deprecated Contract appeared first on BeInCrypto.