- Scallop experienced a flash loan exploit of $142K (150,000 SUI) leading to oracle price manipulation
- The protocol has completely restarted and will reimburse 100% of user losses, assuring that no user funds were compromised in the exploit.
Scallop, a lending protocol, reported a flash loan attack targeting an old Sui blockchain side contract and causing around 150,000 SUI loss (worth around $142,000). The attack—which occurred in the early hours of April 26, 2026 — has again sparked concerns around oracle manipulation as pertains to decentralized finance (DeFi), although the team insists core operations were unaffected.
What Caused This Incident? The Actual Attack
Scallop claimed that its exploit was against an old side contract connected to the protocols sSUI spool rewards pool and not directly on the main protocol. It used a typical DeFi method – flash loans – to exploit the native oracle prices through which Octopus settles.
🚨 SECURITY INCIDENT NOTICE
We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI.
The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool…
— Scallop (@Scallop_io) April 26, 2026
The attacker manipulated the oracle system, temporarily pricing SUI/USDC at an artificially low price so as to have the opportunity to borrow assets at a very deep discount. In a single transaction, the attacker acquired a flash loan, manipulated the price feed, borrowed cheap assets, and repaid them right away to keep the stolen funds. With all these in place, the attacker was able to withdraw ~$142k worth SUI from that pool. After the exploit, the funds were routed over a privacy tool on the Sui network, which increased complexities in tracing them. Scallop pointed to the breach being contained in its entirety, even with the complexity of its attack. This trail should be incentivized; the core protocol stayed safe (and not a single user deposit was affected at any time).
Protocol Response, User Protection & Next Steps
Scallop said in response to the incident, it immediately halted certain operations to contain the event and assess its effect. The team has now fixed everything with the service and announced that its deposit, withdrawal, and all other decisive features are working properly. Notably, Scallop has promised to cover 100% of losses sustained throughout the exploit. This commitment is aimed at preventing any potential financial damage to affected users, a move which aims to fortify platform trust and stability. In a remarkable twist of events, the attacker allegedly reached out to Scallop offering to return 80% of the stolen funds in exchange for some sort of white-hat bounty. Talks are in progress, and their conclusion could limit the protocol’s financial outlay even more.
Mindful of what lies ahead, Scallop is performing a full due diligence process on the vulnerability, looking at how this edge case managed to slip previous audits by reputable security firms OtterSec and MoveBit. The team said it will implement further protections to avoid similar situations moving forward. Although this exploit reveals some continuing problems in DeFi with an oracle design, it couples an extreme need to respond quickly and have a way of protecting users even after they’ve been set up for failure. Scallop’s rapid response and reimbursement policy have thus far safeguarded some of the damage as the wider ecosystem has its eyes glued to the situation.
Read More Related Crypto News:
