Flash Loan Attack Hits Scallop But Leaves Core Protocol Untouched
A precise exploit on the Sui-based lending platform Scallop has exposed a hidden weakness in its older code, draining around 150,000 SUI (roughly $142,000) from a deprecated rewards contract while leaving the main protocol intact.
The attacker avoided the core lending system entirely, instead targeting a sidelined contract linked to the sSUI rewards pool.
Scallop confirmed that all user deposits remain safe, with losses isolated to that single component.
How Did The Attacker Find The Weak Spot
Rather than exploiting active infrastructure, the attacker interacted with an outdated V2 contract deployed in November 2023.
Although no longer in use, the contract remained callable on-chain due to Sui’s design, where all deployed versions stay permanently accessible.
This allowed the attacker to bypass updated safeguards and operate through a neglected entry point.
Analysts believe this level of precision suggests deep familiarity with the protocol’s architecture or extensive reverse engineering.
Hidden Reward Logic Flaw Turned Small Stake Into Massive Claim
The real issue sat inside the rewards calculation system of the deprecated contract.
A key variable, `last_index`, was never properly initialised when new staking accounts were created. In normal operation, this value tracks when a user begins staking to ensure fair reward distribution over time.
Because it defaulted to zero, the system incorrectly treated new users as if they had been active since the pool’s inception.
With the spool index having grown to around 1.19 billion over 20 months, this misalignment allowed reward calculations to spiral far beyond intended limits.
How 136K sSUI Became A Full Pool Drain
The attacker staked roughly 136,000 sSUI and triggered the flawed logic.
The contract then credited them with around 162 trillion reward points due to the inflated historical calculation.
Since the rewards system operated on a direct 1:1 conversion model, those points translated into roughly 150,000 SUI, effectively draining the entire rewards pool.
On-chain activity shows the funds were quickly routed through a mixing service, reducing the chance of recovery.
Was This Oracle Manipulation Or A Legacy Code Failure
While some early discussion pointed toward price manipulation, the exploit appears more rooted in legacy accounting logic than direct oracle tampering.
The attacker did not need to break active price feeds or core lending mechanics.
Instead, they exploited how outdated reward data was still being processed by an accessible contract version.
This separation between active and deprecated systems is what allowed the exploit to remain contained to a single pool.
Why Deprecated Contracts Remain A Persistent Risk
On Sui, deployed contracts are immutable and remain on-chain unless explicitly restricted.
That design means older versions can still be interacted with even after newer systems replace them.
In Scallop’s case, the V2 rewards module was effectively forgotten in production terms but still technically live, creating an exposed edge in the system.
This type of “stale package” risk is now being flagged more frequently across DeFi, where legacy components are left callable without ongoing monitoring.
Rapid Containment And Full Recovery Promise
Scallop responded by freezing the affected contract within minutes of detection and temporarily pausing operations tied to the rewards pool.
Core lending and borrowing markets were not impacted, and user funds remained untouched throughout.
Operations resumed within roughly two hours after the incident, with deposits and withdrawals restored to normal.
The team also confirmed it will fully cover the loss from its treasury, preventing any impact on user balances or yields.
Audit Questions Resurface After Exploit
The affected contract had previously been reviewed in audits from firms including OtterSec and MoveBit, raising questions over how the vulnerability persisted.
Scallop has indicated a full post-mortem will examine why the flaw was not detected earlier and how deprecated modules are handled in future reviews.
Analysts have pointed out that audits often focus on active systems, while legacy contracts may receive less continuous scrutiny despite remaining live on-chain.
Growing Pattern Of Peripheral Exploits Across Sui
The incident adds to a recent string of attacks on Sui-based protocols where attackers have increasingly targeted side contracts rather than core systems.
Similar patterns were seen in other DeFi incidents this year, where unused modules, adapters, or legacy infrastructure were exploited instead of primary lending logic.
This shift suggests attackers are focusing on overlooked edges of ecosystems rather than heavily audited core contracts.
Market Reaction Stays Calm Despite Exploit
Despite the breach, SUI price remained stable and even rose slightly by nearly 2% in the following 24 hours, trading around $0.94.
Trading activity also held steady at approximately $187 million in daily volume, suggesting limited market concern over systemic risk.
Investigation Now Focuses on Legacy Contract Management
Attention has now shifted to how deprecated contracts are managed across DeFi protocols.
With immutable deployments leaving old code permanently accessible, the key question is how teams can prevent unused systems from becoming hidden entry points.
Scallop is expected to release a full technical breakdown of the exploit, including how the reward logic flaw went unnoticed for more than a year and how similar risks can be eliminated going forward.
JinseFinance
Xu Lin
Others
Cointelegraph