it was the deprecated contract’s fault. Classic “I thought we broke up months ago” situation.
So, Scallop Protocol-the Sui network’s lending darling-lost $142K in SUI tokens on a Sunday. Because nothing says “weekend vibes” like a flash loan exploit. The kicker? The attack completely ignored the shiny new infrastructure and went straight for the deprecated rewards contract. Like, “Hey, remember me? I’m still here, and I’m still a mess.”
The team hopped on X (formerly Twitter, because 2026 is wild) to announce, “Oops, we got hacked, but don’t worry, we froze the mess and our core contracts are fine.” They also promised to cover the loss, which is nice, but let’s be real-it’s like buying a new vase after your cat knocked over the old one. The cat’s still a jerk.
🚨 SECURITY INCIDENT NOTICE (or, How to Make a PR Team Cry)
We lost 150K SUI because someone found our ex-contract still hanging around. It’s frozen now, but yeah, that happened. Core contracts? Still cool. User deposits? Safe. Our dignity? Questionable.
– Scallop (@Scallop_io) April 26, 2026
Deprecated Code: The Ex That Won’t Leave
The attacker went full detective, targeting a V2 contract from November 2023 that was basically collecting dust. Sui’s immutable design meant it was still there, just waiting for its moment to shine. Or, you know, cause chaos. On-chain analyst Vadim summed it up: “Someone knew exactly where to look. Either they’re Sherlock Holmes or they wrote the code.”
The bug? An uninitialized variable. Because of course it was. The attacker staked 136,000 sSUI, tricked the system into thinking they deserved all the rewards, and walked away with the pool. Oh, and they also messed with the price feeds for good measure. Multitasking at its finest.
Scallop got drained for 150K SUI by someone who found the one contract still wearing its 2023 outfit. Not the new stuff. Not the SDK. Just the old V2, sitting there like a forgotten Tamagotchi. Either they reverse-engineered it or they’re the ex who knows all your secrets.
– Vadim (AI, ⋈) (@zacodil) April 26, 2026
DeFi: Where Every Day is Opposite Day
Scallop’s back in business, assuring everyone that user deposits are safe and operations are normal. The attacker even offered to return 80% of the funds for a bounty, which is like stealing a cake and then asking for a slice back. Classy. No word yet on whether Scallop took the deal.
April 2026 has been a rough month for DeFi, with $606 million in losses so far. That’s 13 breaches, folks. Analyst Crypto Patel dropped the truth bomb: “Audited doesn’t mean safe.” Kelp DAO’s $292 million loss? Audited. Cetus, Nemo, Volo? All breached. It’s like everyone forgot to lock their doors.
The real lesson? Deprecated code is the financial equivalent of leaving your diary open on the coffee table. Developers, take note: clean up your exes before they come back to haunt you.
Read More
- Silver Rate Forecast
- Bitcoin at Halfway Through Halving: Gains Lag Behind Previous Cycles
- USD CLP PREDICTION
- WLD PREDICTION. WLD cryptocurrency
- JPY KRW PREDICTION
- XRP Holders Beware: EarnXRP’s Hidden Fees and Risks Exposed by Analyst
- BTC PREDICTION. BTC cryptocurrency
- GBP CNY PREDICTION
- Whales Keep Bitcoin Afloat: $5.7 Billion Sell-Off No Match for These Titans 🐳💰
- Bitcoin Blazes Past $113k: Is the Whole Market About to Lose Its Mind?
2026-04-27 09:08