Scallop, the leading lending and borrowing protocol on the Sui blockchain, has confirmed a security breach affecting a side contract related to its sSUI spool rewards pool. The incident, which occurred on April 26, 2026, resulted in the unauthorized outflow of approximately 150,000 SUI tokens, valued at approximately $525,000. In an immediate and decisive response to protect its user base, the Scallop development team successfully froze the compromised contract and initiated a comprehensive post-mortem analysis. Demonstrating its commitment to institutional-grade security and user trust, Scallop has pledged to fully reimburse all affected users directly from the protocol’s treasury, ensuring that no individual depositor suffers a financial loss as a result of the exploit.
Incident Containment and System Integrity
The vulnerability was isolated to a peripheral side contract specifically responsible for managing rewards within the sSUI spool pool. Upon detecting the suspicious activity, Scallop’s engineering team acted rapidly to isolate the affected contract, effectively halting further unauthorized outflows. Crucially, the protocol’s core contracts, which manage the primary lending and borrowing logic, remain entirely secure and unaffected by the incident. Because the breach was confined to the reward-distribution layer rather than the main liquidity vaults, the vast majority of the platform’s Total Value Locked (TVL) remains safe, and the protocol has continued to operate without interruption for the broader user base. This narrow scope of the attack underscores the effectiveness of Scallop’s modular architecture, which prevented the vulnerability from cascading into the main lending pools where user collateral is stored.
Prioritizing User Trust and Ecosystem Resilience
By proactively covering the full extent of the losses, Scallop is reinforcing its position as a transparent and reliable actor within the Sui ecosystem. In the wake of recent security challenges across the decentralized finance sector, the ability of protocols to own responsibility and provide immediate, direct compensation to users has become a critical indicator of long-term viability. The Scallop team is currently working closely with its security partners to finalize the reimbursement process, ensuring that the impacted users are made whole as quickly as possible. This incident serves as a stark reminder of the complexities involved in smart contract management, yet the protocol’s swift resolution and dedication to financial accountability highlight the maturing nature of DeFi governance. As Scallop prepares to implement enhanced security auditing measures for all peripheral contracts, the commitment shown during this event is expected to bolster community confidence, signaling that the platform remains focused on building a secure and sustainable financial infrastructure for the Sui network.
