Scallop Exploit Drains 150,000 SUI From Deprecated Rewards Contract

Overview

• Scallop’s sSUI rewards pool lost about 150,000 SUI on Sunday after an attacker called a retired V2 package from November 2023.
• The drain hinged on an uninitialized “last_index” in the old rewards logic that let a new account claim rewards as if it had staked from day one.
• The pool’s rewards converted one-to-one into SUI, so the inflated points emptied the entire rewards balance in a single transaction.
• Scallop froze the affected contract, said core markets and user deposits were safe, resumed normal service, and pledged to cover all losses.
• Because Sui packages are immutable and stay callable, older versions remain part of the live attack surface, a risk underscored by April’s dozen-plus DeFi breaches that pushed industry losses above $600 million.