Scallop Protocol lost $142K in a flash loan merged with an oracle manipulation attac

Scallop Protocol got hit by a flash loan exploit on Sunday. The attacker reportedly drained around $142,000 (150,000 SUI) in what appears to be a highly targeted oracle manipulation attack. This one didn’t touch the protocol’s core contracts but exposed a deeper design flaw.

An attacker reportedly exploited a deprecated side contract tied to Scallop’s sSUI rewards pool. Their team urges that the core protocol remain intact and that all user deposits are safe. However, the loss is fully contained to that isolated part.

Old code or Oracle flaw?

Analysts suggest that the core issue was the manipulation of Scallop’s custom oracle price feeds. This allowed the attacker to artificially depress SUI/USDC rates and borrow assets at those distorted prices. It then repaid the flash loan within the same transaction. In the end, the suspect walked away with the difference.

This follows a familiar DeFi attack pattern; however, the execution in this event was unusually precise. The attacker didn’t target active code or standard SDK routes. They interacted with an older V2 contract from November 2023. This was a version that had been left but remained callable on-chain. Sui keeps all deployed contract versions immutable and accessible. That’s why this outdated package became a hidden attack surface.

Sui price hasn’t taken a hit after the exploit. It is up by almost 2% in the last 24 hours. Sui is trading at $0.94 at the press time. Its 24 hour trading volume hovers around $187 million.

An expert in a post mentioned that the flaw itself was subtle but severe. In the deprecated contract, a key variable “last_index” was never initialized when a new account was created. This allowed the attacker to claim rewards as if they had been staking since the beginning of the pool.

With the reward index having grown over time, the attacker passed through to credit themselves with the entire reward pool in a single transaction. He mentioned that the Spool index grew to 1.19B over 20 months. 

Attacker staked 136K sSUI and got credited with 162 trillion points. However, the rewards pool ran a 1:1 exchange rate (numerator and denominator both = 1), so 162T points converted directly to 162K SUI worth of rewards. The pool only had 150K SUI in it and all of them got drained.

On-chain data shows the stolen funds were quickly routed through a mixing service, similar to Tornado Cash on Sui. This makes the recovery even more difficult.

Scallop back online after hack

Scallop’s team responded by temporarily pausing operations. It then reported that they have unfrozen the core contracts and all operations have resumed. An X post highlighted that the issue was not related to the core protocol and was isolated to a deprecated rewards contract. In the end, tser deposits were not impacted and all funds remain safe. The withdrawals and deposits are now operating normally.

🚨 Scallop hit by flash loan exploit on Sui, loses $142,000 in oracle manipulation attack

DETAILS 👇

WHAT HAPPENED?

> On April 26, 2026, the Scallop lending protocol experienced a flash loan exploit targeting a deprecated side contract related to its sSUI spool rewards pool

>… pic.twitter.com/xoZbLzGCf0

— Sophia Hodlberg (@sophiaHodlberg) April 26, 2026

The attacker reportedly contacted the team and offered to return 80% of the funds in exchange for a white-hat bounty. The incident is now being investigated. The team will check how the flaw passed prior audits by firms such as OtterSec and MoveBit.

Cryptopolitan reported that many of April 2026’s major incidents have not come from core protocol logic. They emerged from old contracts, adapters, or infrastructure layers that remain accessible but overlooked. The cumulative losses exceeded $750 million by mid-April. April 2026 alone has accounted for over $600 million in stolen funds across 12 major incidents. 

Kelp DAO and Drift Protocol, all together has account for approx 95% of April’s losses. The attack on Kelp resulted in $177 million in bad debt on Aave. Meanwhile, Arbitrum’s Security Council successfully froze 30,766 ETH (approx worth $71 million) of the stolen funds.

Hyperliquid is still the biggest token in the DeFi category. HYPE price is up by 10% in the last 30 days. It is trading at $41.95 at the press time. Chainlink stands at the 2nd stop. LINK traded around $9.4.

There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.