Scallop Protocol Loses $142K in DeFi Exploit on Sui Network
27 Apr 2026 · 07:32 UTC · CoinCentral RSS Feed · Original source
Read original at CoinCentral RSS Feed →
Summary
Scallop Protocol experienced a DeFi exploit on April 26, 2026, resulting in a loss of approximately $142,000 (150,000 SUI tokens). An attacker targeted a deprecated V2 rewards contract from November 2023, exploiting an uninitialized 'last_index' variable that permitted the attacker to claim the entire rewards pool. The core Scallop protocol and user deposits remained unaffected. Operations resumed within two hours of the exploit. The attacker offered to return 80% of the stolen funds.
Why it matters
The market impact hinges on several key mechanisms: (1) DeFi risk sentiment—the exploit reinforces smart contract vulnerability concerns, temporarily pressuring Sui ecosystem sentiment; (2) SUI-specific impact—as a native Sui protocol, Scallop's loss affects SUI sentiment directly, though limited loss amount constrains duration; (3) attacker reimbursement—the unusual 80% offer is a strong positive signal; if executed, it accelerates sentiment recovery and limits downside. Critical assumptions include that exploit information is accurate, user deposits remain unaffected, the attacker follows through on reimbursement, no additional vulnerabilities are discovered, and broader market sentiment remains stable. Near-term predictions (minute to daily) carry moderate confidence because trader sentiment typically responds predictably to well-documented incidents. Longer-term predictions have lower confidence due to dependency on reputation recovery speed and external market developments. Bitcoin remains insulated from Sui-specific risk—meaningful BTC impact would require a broader contagion narrative, currently unlikely given the contained nature. Uncertainties include speed of Scallop reputation recovery, whether similar vulnerabilities exist in other Sui protocols, macro sentiment trends during evaluation, and media coverage duration. The deprecated V2 contract origin (November 2023) further limits systemic risk perception.
Expected impact
The Scallop Protocol exploit represents a contained security incident in the Sui ecosystem with limited broader market implications. The $142K loss (150,000 SUI) is relatively modest in DeFi terms, and critical mitigating factors constrain impact: the core protocol and user deposits remained unaffected, operations resumed within two hours, and the attacker has offered to return 80% of stolen funds. Expected near-term effects concentrate in altcoins, particularly SUI and Sui-based protocols, which may experience mild to moderate selling pressure over the hourly to daily timeframes as traders price in security concerns. Bitcoin, being macro-focused and insulated from individual DeFi incidents, should see minimal direct impact unless this triggers a broader DeFi risk narrative. The exploit's impact diminishes sharply over longer timeframes. Within hours, SUI-adjacent assets could see 1-3% downside as negative sentiment spreads. By daily timeframe, the impact becomes more subdued—quick recovery, limited loss scope, and the attacker's willingness to reimburse all reduce sentiment duration. The attacker's cooperative stance is an unusual positive signal that could accelerate confidence recovery. If reimbursement occurs as offered, the incident may be largely forgotten within a week, with minimal sustained impact to Bitcoin or longer-term altcoin trajectories.