Scallop, the leading money market in the Sui ecosystem, fell victim to a targeted attack. Although the scale of the damage isn't critical for the protocol, this incident has raised a red flag for the entire Sui network, which was previously considered one of the safest due to the Move programming language.
Details
The attack was directed not at the core lending engine but at the sSUI rewards pool. The hacker exploited a vulnerability in an outdated smart contract (version V2), which had been used for incentive distribution since November 2023. The attacker was able to manipulate the reward accrual logic, allowing them to withdraw all accumulated SUI tokens in the contract intended for users in a single transaction.
Total losses
Estimated in the range of $450,000 to $525,000.
Team and market reaction
The Scallop team has officially confirmed that the main assets are secure. Lenders and borrowers did not lose their funds, as the hacker did not have access to the core liquidity pools. The SCA token showed short-term volatility but stabilized following the team's prompt statement. Security partners have been engaged to audit all other 'archival' contracts to prevent a repeat of the scenario.
Compensation
Scallop immediately announced full compensation for the losses. Funds will be allocated from the project's treasury, so regular users of the sSUI pool will not be affected.
Summary
The fourth confirmed hack in just the last week underscores a dangerous trend. While the scale of the recent attacks pales in comparison to the catastrophic blow dealt to Kelp DAO, the mere frequency of these incidents points to systemic gaps in the industry. Today, the world of financial security is in a state of 'perfect storm,' where even trusted protocols are becoming vulnerable to new exploitative methods. This serves as yet another reminder to investors: in today's DeFi landscape, security is not a state but a continuous process.