Scallop froze contracts after a hacker drained 150K SUI from a deprecated sSUI rewards pool. Core funds stayed protected. The protocol pledged a full refund.
The contracts went chilly earlier than most customers seen something was mistaken.
Scallop, a lending protocol on the Sui blockchain, introduced a safety incident after an attacker drained roughly 150,000 SUI from a aspect contract tied to its sSUI spool rewards pool. The protocol confirmed the breach on X, stating the affected contract had been frozen instantly. Core contracts, the staff mentioned, weren’t touched.
One Outdated Contract. Actual Cash Gone.
The exploit focused what Scallop later described as a deprecated rewards contract. Not the primary protocol. Not person deposit vaults. A leftover piece of infrastructure that, apparently, nonetheless held worth.
In response to @Scallop_io on X, the affected contract was frozen as quickly because the incident was recognized. The staff confirmed solely the sSUI rewards pool took the hit. All different swimming pools remained operational all through.
The size of the loss sits at roughly 150K SUI. At present market costs that determine is just not trivial.
Protocol Again On-line, However Questions Linger
Hours after the preliminary freeze, Scallop posted an replace. As @Scallop_io tweeted on X, core contracts had been unfrozen and all operations resumed. Withdrawals and deposits got here again on-line. The staff clarified the difficulty had no connection to the core protocol and was confined totally to the deprecated rewards contract.
Person deposits, per the announcement, had been by no means in danger. The staff added it might share additional technical particulars because the investigation continued.
Scallop pledged to cowl 100% of the loss. No partial reimbursement. The total quantity.
A Sample That Retains Repeating on Sui
This isn’t the primary time a Sui-based DeFi protocol has frozen operations after an exploit. Simply days earlier, Volo Protocol misplaced $3.5 million in a separate breach, with three vaults drained earlier than the staff may act. Losses throughout DeFi platforms in April have exceeded $600 million by some estimates.
The Scallop incident matches a sample that safety researchers have flagged repeatedly. Deprecated contracts that retain stability however lose lively monitoring. The attacker, on this case, discovered precisely that.
Scallop mentioned it might proceed monitoring the protocol and strengthen it going ahead. Per the X publish, no additional anomalies had been detected on the time of writing.