2026/04/26 Scallop sSUI Spool Exploit Post-Mortem


Incident date	2026-04-26, 11:45:00 UTC
Published	2026-04-27
Status	Resolved. Affected users will be fully compensated by Scallop.
Affected contract	Deprecated sSUI rewards distributor (legacy spool module)
Loss	150,098.06 SUI ≈ $142,545 (paid from a deprecated rewards balance, not from user deposits)
Exploit transaction	`6WNDjCX3W852…NfVL`
Attacker address	`0x27bc7a3c4f40…ef44e`

1. In one minute (TL;DR)

At 2026-04-26 11:45 UTC, an attacker exploited a logic bug in Scallop's deprecated sSUI rewards distributor and drained 150,098 SUI (~$142K) from its rewards balance. The exploit was detected 18 minutes later. The protocol was paused, the residual balances of every sister rewards pool on the same code path were swept into safe custody, and the protocol unfroze just under two hours after the exploit.

What this means for users

Active deposits, lending positions, and borrows are unaffected. The exploited contract was not part of any active product line — it was a legacy rewards distributor that had been retired but still held residual SUI rewards balances.
If you had unclaimed rewards in the deprecated sSUI / swUSDT / swUSDC / safSUI / svSUI / shaSUI / sWETH spool contracts, your unclaimed balance was among the funds drained. Scallop will fully compensate all affected users from the treasury — see §7.4 for the claim process.
The attack surface is eliminated. All sister pools on the same deprecated contract have been moved to a safe-custody address. The deprecated contract holds effectively zero recoverable balance.
Net residual loss to users (after compensation): $0.

2. Impact at a glance

Item	Status
Attacker proceeds	150,098.06 SUI ≈ $142,545
Source of funds drained	Deprecated unclaimed-rewards balance (legacy spool module)
Active deposits, lending, borrowing	Unaffected
Active rewards programs	Unaffected
Users with unclaimed rewards in deprecated pools	Will be fully compensated by Scallop treasury — see §7.4 for the claim process
Sister deprecated pools (~$46K combined)	Moved to safe custody before any copy-cat could exploit
Net residual loss to users (after compensation)	$0
Funds remaining at attacker address	~34 SUI + ~$66 of stables (the rest exfiltrated to exchange-pattern wallets within 75 minutes of the exploit)

3. What happened

The attacker submitted a single Programmable Transaction Block (PTB) that:

minted a tiny position in our lending market (0.2 SUI in, 181,779,285 sSUI MarketCoin out — a legitimate operation),
opened a fresh SpoolAccount against the sSUI spool,
called update_points — but with the wrong Spool object passed in (the unrelated sWETH spool, not the sSUI spool the account was bound to),
redeemed rewards against the sSUI rewards pool, draining the pool's full SUI balance,
unstaked, redeemed the original 0.2 SUI back, and left.