Scallop exploit drains 150K SUI, but what about core liquidity and trust?
Another day, another exploit, but how did users react?
A security incident disrupted Scallop’s Sui [SUI] rewards pool recently. Fortunately, however, the damage was contained within a narrow contract layer. The exploit drained about 150K SUI, which pointed to a vulnerability in a side module rather than core infrastructure.
As this unfolded, the team froze the affected contract, limiting further losses and stabilizing user exposure. Core pools remained intact, which underlined how the protocol’s modular design isolated risk effectively. This response reduced the chance of broader liquidity shock across the ecosystem too.
More importantly, the event highlighted how peripheral contracts can introduce hidden risks. Scallop’s decision to cover 100% of losses helped restore confidence, while ongoing caution may influence short-term user activity and trust dynamics.
Old contract bug led to 150K SUI drain
The exploit unfolded through an overlooked contract path, showing the attacker understood exactly where to strike. The transaction involved about 150,098 SUI flowing to a single account, confirming the pool was drained.
This happened because an old V2 contract did not set the user’s last_index when staking. As a result, the system calculated rewards from the very beginning rather than from when staking started.
As the spool index had grown to about 1.19 billion, the attacker’s 136K sSUI stake multiplied instantly. This inflated rewards to about 150k SUI, which then flowed to a single wallet.
While core contracts stayed safe, this event was evidence of how forgotten code paths can create hidden risks, affecting trust and short-term user confidence.
Stability after exploit as user confidence holds
Following the exploit, Scallop restored operations, signaling a controlled recovery rather than systemic failure. Core contracts resumed as the issue remained isolated to a deprecated rewards module.
This containment reassured users, especially as deposits stayed safe and withdrawals continued normally. As a result, the TVL held near $22.37 million – A sign of no immediate panic-driven outflows. This stability suggested that users recognized the limited scope of the breach.
However, this response also highlighted a deeper issue, one where peripheral modules expand the attack surface beyond audited core logic. While confidence is holding for now, sustained trust will depend on continued stability in flows. If TVL remains steady or grows, confidence will strengthen, while delayed outflows could still emerge as users reassess protocol risk.
Final Summary
- Scallop’s Sui [SUI] exploit has been contained after a 150K SUI loss exposed legacy contract risks without disrupting core liquidity.
- Scallop’s TVL held firm near $22.37 million, biu sustained trust will depend on whether users overlook peripheral vulnerabilities or reduce exposure.
