Another DeFi Exploit Drains 150,000 SUI From Scallop’s Deprecated Contract
Scallop lost 150,000 SUI due to an exploit of a deprecated rewards contract, with full reimbursement promised.Summary
Scallop, a DeFi money market on the Sui Network, experienced an exploit that drained approximately 150,000 SUI from a deprecated rewards contract. The attacker targeted a side contract related to the sSUI spool, which is the protocol's incentive layer for SUI depositors. The Scallop team quickly froze the affected contract and confirmed that core lending and borrowing pools, as well as user deposits, remained safe. Core operations resumed within two hours, and the team pledged full reimbursement from its treasury, assuring users that their funds were unaffected and yields would not be diluted. The exploit exploited a bug in an uninitialized 'last_index' counter within a V2 spool package deployed in November 2023, allowing the attacker to claim a disproportionately large amount of rewards. This incident follows a pattern of recent exploits in the Sui DeFi ecosystem targeting peripheral code rather than core protocol logic, highlighting concerns about managing immutable code and potential attack surfaces on the Sui network.
(Source:BeInCrypto)