Scallop Lend

avoid.net/scallop-lend→32/100·72% conf.

[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

32/100

[WARNING]72% conf.

Summary

Scallop Lend is a DeFi lending and borrowing protocol deployed on the Sui blockchain, and the first DeFi project to receive an official grant from the Sui Foundation. On April 26, 2026, the protocol suffered a flash-loan exploit that drained approximately 150,000 SUI (roughly $142,000) from a deprecated rewards contract that had remained callable on-chain for approximately 17 months despite no longer being in active use. The protocol covered 100% of user losses from treasury reserves and resumed operations within two hours, though the incident raised questions about legacy contract hygiene and the completeness of prior audits by OtterSec, MoveBit, and Zellic.

Connected Entities

1 entities · 10 linked investigations

Organizations

□Scallop Lend

Relationships

Also appears in

edgeX Exchange·28 Mach-O Man Malware Campaign (Lazarus / Chollima)·0 Gamma Strategies·28 Alephium Bridge·18 Bunni Protocol·28 BitGrail·2 Shunda Park Scam Compound·0 Trenton Johnston·0 Lulo·55 Thorchain DEX·28

Have evidence about Scallop Lend?

Timeline(9 events)

2023-11-01

Scallop deploys V2 sSUI Spool rewards contract, containing uninitialized 'last_index' variable that will later be exploited.

The Merkle

2024-03-01

Scallop raises $3 million in strategic round co-led by CMS Holdings and 6th Man Ventures, with participation from KuCoin Labs, Mysten Labs, and Blockchain Founders Fund.

Decrypt

2024-03-12

SCA token generation event (TGE); protocol presents SCA tokenomics with 250 million total supply.

Decrypt

2025-02-01

Scallop passes a full security audit conducted by the Sui Foundation, which does not identify the deprecated V2 spool contract as a live risk.

Blockonomi

2025-09-12

ZachXBT exposes over 200 crypto influencers for undisclosed paid promotions across the industry; specific project names involved were not fully confirmed in available records.

Disruption Banking

2026-03-29

Scallop reports TVL of approximately $130 million, establishing itself as the leading lending and borrowing protocol on Sui.

The Block

2026-04-26

Attacker exploits deprecated V2 sSUI Spool rewards contract, draining 150,000 SUI (~$142,000) by exploiting an uninitialized reward index variable. Stolen assets passed through a Sui privacy mixer.

Multiple — Crypto Times, MoneyCheck, Yahoo Finance

2026-04-26

Scallop team discloses breach at 12:50 UTC, freezes affected contract, and pledges 100% coverage of losses from treasury. Core protocol operations restored within two hours.

Grafa / KuCoin

2026-04-27

Attacker contacts Scallop team, offering to return 80% of stolen funds in exchange for a white-hat bounty. Outcome of negotiations not publicly confirmed.

Crypto Times

Provenance & Audit Trail

Anchored on Solana Verify on-chain src:defillama

Decision Log

#3review revise-20⛓ anchored · slot 4255635886/10/2026, 2:27:03 PM
hash: 9zqqMqahfHu5HgVpJmDW2Tn99xqVwM7ZQ8obQAJXoem1
#2review⛓ anchored · slot 4255635796/10/2026, 2:27:02 PM
hash: 7KFMQ1zYQpFeC4QzpDQ3HCr7r1sprwLj2Y2yrJ2BmBK7
#1publish⛓ anchored · slot 4231553345/30/2026, 12:21:17 PM
hash: EVMfx8iwecvmwrgHeeu1fjyJ73ykrNTFw1HKELYQHFL9

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-5

generated: 5/4/2026, 1:51:10 AM

last updated: 6/10/2026, 2:27:02 PM

avoid.net — verified advice for a post-truth world