Scallop DeFi Exploit Drains 150K SUI from Deprecated Contract

Scallop, a money market operating on the Sui Network, experienced a significant exploit over the weekend, resulting in the loss of approximately 150,000 SUI. The attack targeted a deprecated rewards contract linked to the protocol's sSUI spool, an incentive mechanism for SUI depositors. Crucially, the core lending and borrowing pools, along with all user deposits, remained unaffected and secure.

The exploit was facilitated by a vulnerability in a V2 spool package deployed in November 2023, over 17 months prior to the attack. On Sui, deployed code packages are immutable, meaning older versions can remain callable unless explicitly version-gated. The attacker leveraged an uninitialized last_index counter within this old package, effectively tricking the system into believing a large amount of rewards had accrued, which were then redeemed from the rewards pool.

While Scallop has pledged to fully reimburse the drained funds from its treasury and has resumed core operations, this incident serves as a stark reminder for P2P merchants. Such exploits, even if contained within DeFi protocols, can contribute to broader market sentiment shifts and potentially impact the perceived stability of stablecoins and their underlying ecosystems. Merchants relying on spreads and volume might see fluctuations if investor confidence in specific networks or DeFi applications wavers.

This exploit follows a recent pattern of similar incidents on the Sui Network, including a loss at Volo Protocol, and occurs shortly after a major bridge exploit on Ethereum. The recurring nature of these attacks, particularly those targeting peripheral or deprecated code, underscores the ongoing challenges in smart contract security and the importance of diligent code management and auditing for all participants in the crypto space, including those facilitating P2P trades.