On April 26, 2026, the well-known lending protocol Scallop within the Sui ecosystem encountered an "invisible crack" during its operations. The official disclosure revealed that the problem did not lie within the core contract that supports the main lending operations, but rather in an auxiliary contract related to the sSUI reward pool—this component, originally regarded as an "extra benefit," was exploited by an attacker who found a vulnerability, resulting in the theft of approximately 150,000 SUI.
From publicly available information, the losses are strictly confined to this auxiliary contract of the sSUI reward pool. Scallop repeatedly emphasized in its statement that the core lending contract and other reward pools were unaffected; upon discovering the anomaly, the project team immediately froze the affected contract in an effort to minimize the damage. Meanwhile, they promised on X/Twitter to fully cover user losses resulting from the incident, assuring users that they "would not have to bear the costs of this incident."
On one hand, there was the breach of the auxiliary contract, with 150,000 SUI disappearing in the accounting on-chain; on the other hand, there were the firm statements of "no impact on core business" and "full compensation"—given that technical details have not yet been made public and the source of the compensation funds remains unclear, this seemingly "controllable" incident leaves sufficient tension and suspense between the surface of the event and the unanswered questions behind it.
Flank of the Reward Pool Breached: Auxiliary Contract Becomes the Breach Point
From Scallop's public narrative, the project team almost immediately drew the "line of safety"—one side is the compromised auxiliary contract of the sSUI reward pool, and the other side is the "unaffected" core lending contract and other reward pools. The official statement repeatedly emphasized that the loss of approximately 150,000 SUI occurred only within the auxiliary contract related to the sSUI reward logic, with no abnormal outflows of funds from the main lending pool or other reward pools. After discovering the anomaly, the affected auxiliary contract was urgently frozen, and the attack surface was limited to this "flank."
Superficially, this appears to be a strictly contained incident within the auxiliary contract layer: the main battlefield is intact, with the wounds appearing in the peripheral reward module. However, for those familiar with the evolutionary path of DeFi protocols, such structures are not unfamiliar. Almost all protocols that evolve into complexity continually attach new functions such as rewards, proxies, and routes beyond the initial lending, matchmaking, and liquidation framework—they perform the role of "boosters" to enhance yield, optimize experience, and attract liquidity, but are often not included in the team's earliest and most stringent round of security assumptions.
In real-world engineering rhythms, core logic is often repeatedly polished, reviewed, and pressure-tested, while later-added rewards and incentive functions are imposed under the guise of "expansion," "upgrading," or "optimization." When security resources are limited, auditing, testing, and monitoring are more likely to focus on the main contract, with auxiliary contracts implicitly deemed as "peripheral risks." Under this mindset, once reward logic involves asset authorization, balance calculations, or profit distributions, even minor neglect of boundary conditions can be exploited by external attackers—as was the case this time, where the main contract was not directly breached, but funds were lifted through the side door of the sSUI reward pool.
Many past incidents in the industry have already provided similar scripts: what is actually exploited is often not the core lending or matching logic of the protocol, but rather the auxiliary contracts surrounding its construction, such as rewards, proxies, and routes. The primary protocol's "high-intensity defenses" in architecture and auditing inadvertently push attackers' attention toward these "supporting" modules. Scallop's delineation of boundaries—core contract safe, auxiliary reward pool breached—perfectly reflects the typical depiction of "strong main defenses, weak flanks."
Even more subtly, as of now, Scallop has not disclosed the specific technical details of the vulnerability in this auxiliary contract. The outside world can only confirm that the attack was limited to the logic related to the sSUI reward pool, with no abnormal fund outflows from the core lending pool or other reward pools. For users and peers alike, the uncertainty brought about by this information asymmetry is not merely concern over "how many pits remain unfilled," but a sharper question: when a protocol claims "the main contract is secure," where exactly does it draw the line of safety? And what was breached this time was precisely that boundary, which is connected to user assets in cold hard cash.
150,000 SUI Hole: Project Team Takes Full Responsibility for Compensation
For most users, terms like "auxiliary contract" and "reward pool" may blur, but numbers do not. Scallop confirmed on X that the loss from this incident is approximately 150,000 SUI—this is not just a quantified result of a technical vulnerability being exploited, but an immediate impact that prompts one to calculate and subconsciously think, "what if this were my position?"
Particularly in the context of the official repeatedly emphasizing "the core lending contract is unaffected," these 150,000 SUI seem to stand out as a separate "unexpected account": it does not fall within the risk landscape users initially anticipated, yet it has genuinely leaked out from that neglected gray area. For participants involved, this is not an abstract "protocol risk," but rather their expected returns and principal, which they may have mentally noted, or even written down in spreadsheets related to the sSUI reward pool’s auxiliary contract, suddenly hitting the pause button.
At such a moment, Scallop chooses to be fully transparent. The team explicitly stated in an official announcement that it would "fully bear 100% of the losses" caused by this incident, emphasizing that users should not bear the costs of this security incident. The wording contains no traditional buffer expressions such as "subject to circumstances" or "partial reimbursement," instead directly committing to "not letting users bear the costs," taking responsibility and repercussions onto itself.
This stance is not common in the handling of past security incidents in DeFi. In similar events, the responses offered by project teams have often varied: some have opted for partial compensation, distributing losses between the project team and users proportionally; others have issued some form of "bond tokens," using future earnings to fill today's holes; some have relied on insurance or external funds to backstop. In contrast, Scallop’s direct public announcement of full compensation effectively provides a clear "responsibility attribution" in the shortest time: the hole exists, but it is not the users' fault.
In a highly trust-dependent ecosystem, such a statement is itself a risk management tool. With technical details yet to be made public, the identity of the attacker unknown, and the vulnerability boundaries still under examination, if even "who pays" remains in a gray area, user sentiment will only be pulled repeatedly between panic and speculation. Scallop first locks down "the compensation issue," effectively providing a temporary anchor: even if the safety boundaries of the auxiliary contract are still controversial, at least in this case, the protocol did not shift the risk back onto the participants.
However, promises aside, the question of where the funds will come from and how they will come in remains a hovering question mark. The announcement did not clarify whether the hole of approximately 150,000 SUI would be covered by the project team's treasury, partner resources, or other channels, nor did it disclose specific compensation paths and execution timelines—whether it would be a one-time return, an installment plan, whether distributions would be based on snapshot time, or according to other rules. All these details remain blank in the current public information.
This also means that Scallop has already made a commitment on the public opinion front, but how to implement it remains to be seen. For users already involved in the sSUI reward pool's auxiliary contract, what lies ahead is not only waiting for technical reviews and vulnerability disclosures but also the concrete plan of "how to completely return the 150,000 SUI to where it belongs." Committing to full compensation has momentarily pressed the pause button on the short-term trust crisis, but the real test of responsibility and execution still lies ahead.
Core Lending Pool Unharmed: Confidence Test for the Sui Ecosystem
Shifting the perspective from individual users to the entire system, the most important information from this incident is what Scallop repeatedly emphasized in their statement: the affected scope was limited to the auxiliary contract related to the sSUI reward pool, with the core lending contract and other reward pools unaffected. In other words, the black hole of 150,000 SUI did not expand to the main lending pool or even the entire protocol's asset surface.
This point has proved particularly crucial afterward. With no signs of abnormal liquidations in the main pool, no indications of large-scale asset withdrawals, and no reports of "chain liquidations" or "liquidity exhaustion," it means the attack was cut off at an "edge layer"—the auxiliary contract of the reward pool—not directly targeting the heart of the protocol. After discovering the anomaly, the project team rapidly froze the contract, nailing the bleeding point in the same position, making the incident resemble more of a road collapse rather than a complete break of the main road.
From an architectural perspective, such a "limited scope" incident acts as a buffer zone. Auxiliary contracts assume functions like reward distribution and incentive expansions, connecting to the core system while maintaining some separation in terms of permissions and fund flows. The reason this attack did not immediately escalate into a systemic crisis largely depends on this separation still functioning—what the attacker took was about 150,000 SUI from the sSUI reward pool's auxiliary contract, rather than penetrating deep into the core lending pool.
Of course, for Scallop itself, this remains a direct and heavy blow. Scallop is already a relatively well-known lending protocol within the Sui ecosystem, providing various asset pools for lending and rewards; the total locked value it had accumulated previously had also made it one of the few foundational protocols on Sui that consistently receives attention. Consequently, when a "well-known, sizable protocol providing multi-asset pool services" experiences a security incident, the market's first reaction is often not "this reward pool has issues," but rather instinctively questioning: "Is the main lending pool okay? Is the safety narrative of the entire chain about to be discounted?"
The answer given by this incident is a relatively narrowed boundary: at the time of the incident's disclosure, Scallop maintained a certain level of locked value, the core contract was repeatedly marked as safe by the official team, and other reward pools were operating normally, with no public signals indicating mass panic migration within the Sui ecosystem consequently arising from this. This outcome keeps the impacts more at the confidence level—outsiders will reassess auxiliary contracts, reward expansions, and risk control boundaries, but it is hard to equate it directly with a "systemic black swan" for the entire Sui public chain.
For the Sui ecosystem, this type of limited scope security incident serves as a public lesson: when a protocol expands reward pools and adds auxiliary contracts, it can make mistakes in technical or audit processes, with the cost borne first by that protocol itself; as for the ecological level, what is truly shaken is the narrative—will developers treat "auxiliary contracts" more cautiously, and will users pay more attention to which layer of contracts their funds are actually positioned in when choosing lending pools? Scallop's freezing of contracts and commitment to full compensation has pushed the panic back from "chain-level risk" to a "single protocol incident," but how the entire Sui ecosystem will reaffirm its safety narrative afterwards poses a follow-up question pushed onto all participants by this incident.
From Discovery to Freezing: A Microcosm of Crisis Management
Returning to the day of the incident, the starting point of the narrative is not grand, but merely an "abnormality" that occurred during operations. On April 26, 2026, Scallop did not wait for the community to discover or for public sentiment to ferment after monitoring that the auxiliary contract related to the sSUI reward pool showed abnormal indicators; instead, it initially defined the matter internally as a potential security incident: this meant that all subsequent actions would revolve around "first stopping the bleeding, then explaining."
The action to "stop the bleeding" is quantifiable. After confirming the correlation between the anomaly and fund outflow, the project team chose to freeze the affected auxiliary contract of the sSUI reward pool immediately—which was later clarified in the official briefing. To the outside world, this appears as merely a "pause button": the relevant contract is locked, new operations are prohibited, and funding channels are cut off. However, in the situation where the source of the attack has not yet been fully traced and the path of exploitation remains unclear, freezing itself effectively creates a barrier within the system, securing the risk tightly within an already confirmed problematic contract, preventing losses from spreading from the "known range" into "systemic risk."
This handling approach is not unfamiliar. Looking back at past security incidents, the immediate freezing of related contracts and suspension of related functions has become the industry default emergency response—not because it is elegant, but because in on-chain confrontations, speed and scope often dictate the outcomes ahead of technical details. For Scallop, a quick freeze means that even if they have not yet identified the attacker or restored complete transaction hashes, they can at least lock the loss scale at the officially disclosed number of about 150,000 SUI, rather than helplessly observe the "hole" continue to widen during the investigation period.
After stopping the bleeding, it is time for the "explanation" part. On the same day, Scallop chose to release an official statement via X/Twitter, transforming this attack from an internal event into a publicly acknowledged incident: confirming the targeted attack on the auxiliary contract of the sSUI reward pool, disclosing the loss scale of approximately 150,000 SUI, and clarifying that this scope is limited to that auxiliary contract, with the core lending contract and other reward pools unaffected. More critically, the project team committed in the same statement to fully cover user losses resulting from this incident, ensuring users would not bear the costs of this security incident.
The logic behind this set of phrasing is clear: on one hand, define boundaries to reduce panic—"the issue is only here"; on the other hand, express attitudes to divert anxiety—"we bear the losses." In on-chain security incidents, time is often not on the protocol's side; if the official response lags behind rumors and community disclosures, panic will automatically fill the information void. Scallop's decision to disclose the facts and compensation promises on the same day as the incident at least prevents handing the situation over to speculation and conspiracy theories.
Nevertheless, this set of emergency operations does have clear unfinished aspects. By the time of the briefing, Scallop had not yet made public the attacker's address, specific transaction hashes, and methods of exploitation, nor has the specific source of compensation funds been explained. In other words, what we see now is a crisis management process of "first freezing, first compensating," but we have not yet seen a complete technical review and independent assessment. For any protocol that makes mistakes within the boundaries of expanding reward pools and auxiliary contracts, post-incident transparency—including the causes of vulnerabilities, gaps in internal audits, and subsequent defensive enhancements—decides whether this incident is truly an "accident" or merely a prelude to a repeating scenario. Scallop has acted to stabilize the short-term situation, but how it builds long-term trust through public information and external perspectives in the future poses a more challenging examination question on this timeline.
After a Broken Window: How Users and Project Teams Protect Themselves
If we view the breach of the sSUI reward pool's auxiliary contract as Scallop's entire system's first "broken window," then what has broken is not the core lending logic, but the auxiliary structures that have grown around the main framework. On April 26, 2026, the project team discovered an anomaly during operations, pinpointing it to an auxiliary contract related to the sSUI reward pool, and subsequently confirmed the theft of approximately 150,000 SUI. The official team immediately froze that contract, emphasized that the core lending contract and other reward pools remained unaffected, and committed to full compensation on X—this series of actions constitutes their immediate sealing of this "broken window."
In terms of results, this incident exposes safety vulnerabilities at the auxiliary contract level: the main contract claims a clear safety boundary but, while expanding rewards and secondary yields, leaves new risk points on the periphery. The fact that the auxiliary contract was exploited while the main contract and other reward pools remained unharmed is itself an intuitive representation of risk distribution. Scallop stabilized the situation through freezing and compensation, but as of the time of the briefing, the details of the vulnerability and the source of compensation funds remain undisclosed, meaning the outside world can only see the "stop the bleeding" aspect, without visibility into the "surgical record."
For users, this incident serves as a reminder not just of a project name, but of an entire set of usage habits. When choosing protocols, focusing solely on yields and brands is far from sufficient—it is important to clearly ask:
● Is this product a single contract, or a series of split main contracts + auxiliary contracts? Where exactly does your capital sit within the chain's structural layers?
● Are various reward pools and additional yield pools separately deployed? Do they have independent audits, and are they clearly marked as "experimental" or "high-risk"?
● Has the project publicly disclosed past security incidents and review reports, and is there a complete timeline and accountability explanation?
In other words, when protocols begin to "stack buffs," pile on rewards, and add peripheral functions, with every layer of yield design, users should adopt an increasing level of vigilance: where does the yield come from within that segment of logic, and has that segment undergone the same level of security review, rather than simply defaulting to "safe following the main contract."
For the project team, the breach of the sSUI reward pool's auxiliary contract serves as a clear warning: when expanding rewards and peripheral functions, auxiliary contracts should not be treated as “plugins” beyond the safety boundary. Even if the main contract has undergone multiple rounds of audits, any newly added reward pools, yield contracts, and external adaptation layers should be treated as new attack surfaces.
● In terms of design, clearly distinguish between "core fund flows" and "experimental yield layers," and straightforwardly label risk levels in documentation and interfaces;
● In process terms, include auxiliary contracts in the same auditing and testing standards as core contracts, rather than lowering the threshold with the reason of "it's just reward logic";
● In terms of information disclosure, establish traceable records for every functional expansion, letting users know "when this code went live, to what degree it was audited, and who is responsible for it."
In the time ahead, what truly determines the course of this event will not be how the 150,000 SUI is filled, but whether the subsequent three lines can be straightened out: one, how the commitment to compensation will be executed according to the timetable, whether the process is verifiable; two, whether the technical review will be public to the extent that the community can see "where the problem lies" and "how to seal it off"; and lastly, whether the Sui ecosystem and other protocols are willing to treat this incident as a public textbook, re-examining the boundaries of all their reward pools and auxiliary contracts. Only when these three lines provide answers can this "broken window" have the potential to become the starting point of a true strengthening of the system, rather than a trailer for the next incident.
Join our community to discuss and become stronger together!
Official Telegram group: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX benefits group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance benefits group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
