← Scallop Lend3 decisions on this page

Audit log

Every state-changing event for Scallop Lend: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-05-30 12:21:17Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 423,155,334
sig
2YN8j3HA93GZ…6WoYt5mQexplorer ↗
hash
EVMfx8iwecvm…ELYQHFL9sha256 → base58
verifying row…full verify ↗
canonical bytes (13508 B) ▸
{"actor":"system:backfill","investigation_id":"36f1c665-fe89-475f-9df0-0788b6519bd0","kind":"publish","page_slug":"scallop-lend","published_at":"2026-05-30T12:21:17.623Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Scallop Lend","sections":[{"content":"","heading":"","severity":"low","sources":[{"credibility":2,"name":"Scallop Protocol on Sui Hits Record Revenue, Solidifying Leadership in DeFi Lending — The Block","type":"news_article","url":"https://www.theblock.co/press-releases/348756/scallop-protocol-on-sui-hits-record-revenue-solidifying-leadership-in-defi-lending"},{"credibility":2,"name":"What Is Scallop? Sui's Top DeFi Lending Protocol with $SCA Token and veSCA Rewards — Backpack","type":"other","url":"https://learn.backpack.exchange/articles/what-is-scallop-institutional-grade-defi-lending-on-sui"},{"credibility":2,"name":"Scallop Lend — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/scallop-lend"}]},{"content":"","heading":"","severity":"high","sources":[{"credibility":2,"name":"Scallop Exploit Drains 150K SUI Through Deprecated Contract As Hidden Vulnerability Lurks For 17 Months — The Merkle","type":"news_article","url":"https://themerkle.com/scallop-exploit-drains-150k-sui-through-deprecated-contract-as-hidden-vulnerability-lurks-for-17-months/"},{"credibility":2,"name":"Scallop Loses $142K in Flash Loan Attack on Deprecated Contract — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/04/27/scallop-loses-142k-in-flash-loan-attack-on-deprecated-contract/"},{"credibility":2,"name":"Scallop Protocol Suffers $142K Loss After Exploiter Drains Deprecated Sui Contract — MoneyCheck","type":"news_article","url":"https://moneycheck.com/scallop-protocol-suffers-142k-loss-after-exploiter-drains-deprecated-sui-contract"},{"credibility":1,"name":"Another DeFi Exploit Drains 150,000 SUI From Scallop's Deprecated Contract — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/another-defi-exploit-drains-150-201624490.html"},{"credibility":2,"name":"Scallop on Sui Exploit Deep Dive: 150K SUI Recovery and Future Security Roadmap — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/bd-scallop-on-sui-exploit-deep-dive-150k-sui-recovery-and-future-security-roadmap"},{"credibility":2,"name":"Scallop Protocol lost $142K in a flash loan merged with an oracle manipulation attack — CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/32767454/"}]},{"content":"","heading":"","severity":"high","sources":[{"credibility":2,"name":"Scallop Exploit Drains 150K SUI Through Deprecated Contract As Hidden Vulnerability Lurks For 17 Months — The Merkle","type":"news_article","url":"https://themerkle.com/scallop-exploit-drains-150k-sui-through-deprecated-contract-as-hidden-vulnerability-lurks-for-17-months/"},{"credibility":2,"name":"Scallop DeFi Exploit Exposes Deprecated Contract Risk Amid April 2026's $606M Loss Streak — Blockonomi","type":"news_article","url":"https://blockonomi.com/scallop-defi-exploit-exposes-deprecated-contract-risk-amid-april-2026s-606m-loss-streak"},{"credibility":1,"name":"Audits — Scallop Documentation","type":"official","url":"https://docs.scallop.io/protocol/auditing"},{"credibility":2,"name":"$150K in SUI Lost: Scallop's Forgotten Contract — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/150k-in-sui-lost-scallops-forgotten-contract/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Scallop Hack: $142K Flow Through Sui's DeFi, Not a Systemic Risk — AInvest","type":"news_article","url":"https://www.ainvest.com/news/scallop-hack-142k-flow-sui-defi-systemic-risk-2604/"},{"credibility":2,"name":"Scallop Loses 150,000 SUI in sSUI Reward Pool Exploit — Phemex","type":"news_article","url":"https://phemex.com/news/article/scallop-suffers-150000-sui-loss-from-ssui-reward-pool-exploit-76369"},{"credibility":2,"name":"Scallop exploit drains 150K SUI funds — Grafa","type":"news_article","url":"https://grafa.com/en/news/crypto/scallop-sui-exploit-150k-loss"},{"credibility":2,"name":"Scallop exploit drains 150K SUI, but what about core liquidity and trust? — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/scallop-exploit-drains-150k-sui-but-what-about-core-liquidity-and-trust/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"ZachXBT — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/ZachXBT"},{"credibility":2,"name":"ZachXBT Exposes Over 200 Crypto Influencers for Undisclosed Paid Promotions — Disruption Banking","type":"news_article","url":"https://www.disruptionbanking.com/2025/09/12/crypto-sleuth-zachxbt-uncovers-undisclosed-payouts-to-over-200-influencers/"},{"credibility":1,"name":"ZachXBT says over 100 crypto influencers accepted promo deals without disclosing paid ads — The Block","type":"news_article","url":"https://www.theblock.co/post/368956/zachxbt-says-over-100-crypto-influencers-accepted-promo-deals-without-disclosing-paid-ads"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Scallop Protocol Presents SCA Token — Utilities and Tokenomics — Decrypt","type":"news_article","url":"https://decrypt.co/221376/scallop-protocol-presents-sca-token-utilities-and-tokenomics"},{"credibility":2,"name":"Scallop (SCA) Token Unlocks and Vesting — CryptoRank","type":"research","url":"https://cryptorank.io/price/scallop-sui/vesting"},{"credibility":1,"name":"SCA Token Documentation — Scallop Docs","type":"official","url":"https://docs.scallop.io/token/scallop-token"},{"credibility":2,"name":"Scallop (SCA) IEO Funding Rounds and Tokenomics Analysis — CryptoRank","type":"research","url":"https://cryptorank.io/ico/scallop-sui"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Scallop DeFi Exploit Exposes Deprecated Contract Risk Amid April 2026's $606M Loss Streak — Blockonomi","type":"news_article","url":"https://blockonomi.com/scallop-defi-exploit-exposes-deprecated-contract-risk-amid-april-2026s-606m-loss-streak"},{"credibility":2,"name":"Scallop Hack: $142K Flow Through Sui's DeFi, Not a Systemic Risk — AInvest","type":"news_article","url":"https://www.ainvest.com/news/scallop-hack-142k-flow-sui-defi-systemic-risk-2604/"}]}],"sources_used":[{"credibility":2,"name":"Scallop Protocol on Sui Hits Record Revenue — The Block","type":"news_article","url":"https://www.theblock.co/press-releases/348756/scallop-protocol-on-sui-hits-record-revenue-solidifying-leadership-in-defi-lending"},{"credibility":2,"name":"Scallop Exploit Drains 150K SUI Through Deprecated Contract — The Merkle","type":"news_article","url":"https://themerkle.com/scallop-exploit-drains-150k-sui-through-deprecated-contract-as-hidden-vulnerability-lurks-for-17-months/"},{"credibility":2,"name":"Scallop Loses $142K in Flash Loan Attack on Deprecated Contract — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/04/27/scallop-loses-142k-in-flash-loan-attack-on-deprecated-contract/"},{"credibility":2,"name":"Scallop Protocol Suffers $142K Loss — MoneyCheck","type":"news_article","url":"https://moneycheck.com/scallop-protocol-suffers-142k-loss-after-exploiter-drains-deprecated-sui-contract"},{"credibility":1,"name":"Another DeFi Exploit Drains 150,000 SUI — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/another-defi-exploit-drains-150-201624490.html"},{"credibility":2,"name":"Scallop on Sui Exploit Deep Dive — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/bd-scallop-on-sui-exploit-deep-dive-150k-sui-recovery-and-future-security-roadmap"},{"credibility":2,"name":"Scallop Protocol lost $142K — CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/32767454/"},{"credibility":2,"name":"Scallop DeFi Exploit Exposes Deprecated Contract Risk — Blockonomi","type":"news_article","url":"https://blockonomi.com/scallop-defi-exploit-exposes-deprecated-contract-risk-amid-april-2026s-606m-loss-streak"},{"credibility":2,"name":"Scallop Hack: $142K Flow Through Sui's DeFi — AInvest","type":"news_article","url":"https://www.ainvest.com/news/scallop-hack-142k-flow-sui-defi-systemic-risk-2604/"},{"credibility":2,"name":"$150K in SUI Lost: Scallop's Forgotten Contract — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/150k-in-sui-lost-scallops-forgotten-contract/"},{"credibility":2,"name":"Scallop exploit drains 150K SUI — Grafa","type":"news_article","url":"https://grafa.com/en/news/crypto/scallop-sui-exploit-150k-loss"},{"credibility":2,"name":"Scallop Loses 150,000 SUI in sSUI Reward Pool Exploit — Phemex","type":"news_article","url":"https://phemex.com/news/article/scallop-suffers-150000-sui-loss-from-ssui-reward-pool-exploit-76369"},{"credibility":2,"name":"Scallop Protocol Presents SCA Token — Decrypt","type":"news_article","url":"https://decrypt.co/221376/scallop-protocol-presents-sca-token-utilities-and-tokenomics"},{"credibility":2,"name":"Scallop (SCA) Token Unlocks and Vesting — CryptoRank","type":"research","url":"https://cryptorank.io/price/scallop-sui/vesting"},{"credibility":1,"name":"Audits — Scallop Docs","type":"official","url":"https://docs.scallop.io/protocol/auditing"},{"credibility":2,"name":"ZachXBT Exposes Over 200 Crypto Influencers — Disruption Banking","type":"news_article","url":"https://www.disruptionbanking.com/2025/09/12/crypto-sleuth-zachxbt-uncovers-undisclosed-payouts-to-over-200-influencers/"},{"credibility":2,"name":"ZachXBT — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/ZachXBT"},{"credibility":2,"name":"Scallop Lend — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/scallop-lend"}],"summary":"Scallop Lend is a DeFi lending and borrowing protocol deployed on the Sui blockchain, and the first DeFi project to receive an official grant from the Sui Foundation. On April 26, 2026, the protocol suffered a flash-loan exploit that drained approximately 150,000 SUI (roughly $142,000) from a deprecated rewards contract that had remained callable on-chain for approximately 17 months despite no longer being in active use. The protocol covered 100% of user losses from treasury reserves and resumed operations within two hours, though the incident raised questions about legacy contract hygiene and the completeness of prior audits by OtterSec, MoveBit, and Zellic.","timeline":[{"date":"2023-11-01","event":"Scallop deploys V2 sSUI Spool rewards contract, containing uninitialized 'last_index' variable that will later be exploited.","source":"The Merkle","source_url":"https://themerkle.com/scallop-exploit-drains-150k-sui-through-deprecated-contract-as-hidden-vulnerability-lurks-for-17-months/"},{"date":"2024-03-01","event":"Scallop raises $3 million in strategic round co-led by CMS Holdings and 6th Man Ventures, with participation from KuCoin Labs, Mysten Labs, and Blockchain Founders Fund.","source":"Decrypt","source_url":"https://decrypt.co/221376/scallop-protocol-presents-sca-token-utilities-and-tokenomics"},{"date":"2024-03-12","event":"SCA token generation event (TGE); protocol presents SCA tokenomics with 250 million total supply.","source":"Decrypt","source_url":"https://decrypt.co/221376/scallop-protocol-presents-sca-token-utilities-and-tokenomics"},{"date":"2025-02-01","event":"Scallop passes a full security audit conducted by the Sui Foundation, which does not identify the deprecated V2 spool contract as a live risk.","source":"Blockonomi","source_url":"https://blockonomi.com/scallop-defi-exploit-exposes-deprecated-contract-risk-amid-april-2026s-606m-loss-streak"},{"date":"2025-09-12","event":"ZachXBT exposes over 200 crypto influencers for undisclosed paid promotions across the industry; specific project names involved were not fully confirmed in available records.","source":"Disruption Banking","source_url":"https://www.disruptionbanking.com/2025/09/12/crypto-sleuth-zachxbt-uncovers-undisclosed-payouts-to-over-200-influencers/"},{"date":"2026-03-29","event":"Scallop reports TVL of approximately $130 million, establishing itself as the leading lending and borrowing protocol on Sui.","source":"The Block","source_url":"https://www.theblock.co/press-releases/348756/scallop-protocol-on-sui-hits-record-revenue-solidifying-leadership-in-defi-lending"},{"date":"2026-04-26","event":"Attacker exploits deprecated V2 sSUI Spool rewards contract, draining 150,000 SUI (~$142,000) by exploiting an uninitialized reward index variable. Stolen assets passed through a Sui privacy mixer.","source":"Multiple — Crypto Times, MoneyCheck, Yahoo Finance","source_url":"https://www.cryptotimes.io/2026/04/27/scallop-loses-142k-in-flash-loan-attack-on-deprecated-contract/"},{"date":"2026-04-26","event":"Scallop team discloses breach at 12:50 UTC, freezes affected contract, and pledges 100% coverage of losses from treasury. Core protocol operations restored within two hours.","source":"Grafa / KuCoin","source_url":"https://grafa.com/en/news/crypto/scallop-sui-exploit-150k-loss"},{"date":"2026-04-27","event":"Attacker contacts Scallop team, offering to return 80% of stolen funds in exchange for a white-hat bounty. Outcome of negotiations not publicly confirmed.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/04/27/scallop-loses-142k-in-flash-loan-attack-on-deprecated-contract/"}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 0453e5ea-3265-4b84-8129-5d6544cb5286
#2reviewby reviewerreviewer
2026-06-10 14:27:02Z
Score: 52 → 52 (no score change)
The core exploit narrative (date, mechanism, amount, attacker offer, 100% coverage) is well-supported by multiple independent sources. However, the page contains a significant year error in the TVL timeline entry (2026 vs the actual 2025 press release date), the protocol's current leadership position on Sui is stale and incorrect per DefiLlama, and the 'two-hour restoration' claim is contradicted by a more detailed source (KuCoin) that states 72 hours. The inclusion of an entire section on the ZachXBT influencer exposé lacks any established link to Scallop specifically.
anchoranchored
chain
●mainnet-betaslot 425,563,579
sig
wwQzi8S5N3Qe…joTSiZ8yexplorer ↗
hash
7KFMQ1zYQpFe…rJ2BmBK7sha256 → base58
verifying row…full verify ↗
canonical bytes (924 B) ▸
{"actor":"reviewer","decided_at":"2026-06-10T14:27:02.805Z","decision":"review","investigation_id":"36f1c665-fe89-475f-9df0-0788b6519bd0","new_score":52,"page_slug":"scallop-lend","prev_score":52,"reason":"The core exploit narrative (date, mechanism, amount, attacker offer, 100% coverage) is well-supported by multiple independent sources. However, the page contains a significant year error in the TVL timeline entry (2026 vs the actual 2025 press release date), the protocol's current leadership position on Sui is stale and incorrect per DefiLlama, and the 'two-hour restoration' claim is contradicted by a more detailed source (KuCoin) that states 72 hours. The inclusion of an entire section on the ZachXBT influencer exposé lacks any established link to Scallop specifically.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 23990f60-81c2-45f8-a78f-87c9ebedca3c
#3review reviseby judgejudge
2026-06-10 14:27:03Z
Score: 52 → 32 (-20)
The reviewer found 37.5% of claims disputed or partially supported across 16 checked claims, placing this in the significant-issues band. The most material error is claim_findings[12]: the March 29, 2026 TVL entry contains a year error — the cited press release is dated March 29, 2025 — and DefiLlama (Tier 1) shows current TVL at approximately $15 million, directly contradicting the stated $130 million figure and leadership claim. Secondary issues include claim_findings[6] and claim_findings[14], where the 'two-hour restoration' timeline is contradicted by the KuCoin deep-dive (Tier 2) stating 72 hours, and claim_findings[10], where the February 2025 audit is attributed to 'the Sui Foundation' when it was conducted by Asymptotic, a partner firm. The core exploit narrative (date, mechanism, loss amount, 100% coverage) is well-supported. The page requires correction of the TVL year error and several partially-supported timeline details before the investigation can be approved.
anchoranchored
chain
●mainnet-betaslot 425,563,588
sig
26KsALgi9dCA…nXP1K4gwexplorer ↗
hash
9zqqMqahfHu5…QAJXoem1sha256 → base58
verifying row…full verify ↗
canonical bytes (1343 B) ▸
{"actor":"judge","decided_at":"2026-06-10T14:27:02.805Z","decision":"review_revise","investigation_id":"36f1c665-fe89-475f-9df0-0788b6519bd0","new_score":32,"page_slug":"scallop-lend","prev_score":52,"reason":"The reviewer found 37.5% of claims disputed or partially supported across 16 checked claims, placing this in the significant-issues band. The most material error is claim_findings[12]: the March 29, 2026 TVL entry contains a year error — the cited press release is dated March 29, 2025 — and DefiLlama (Tier 1) shows current TVL at approximately $15 million, directly contradicting the stated $130 million figure and leadership claim. Secondary issues include claim_findings[6] and claim_findings[14], where the 'two-hour restoration' timeline is contradicted by the KuCoin deep-dive (Tier 2) stating 72 hours, and claim_findings[10], where the February 2025 audit is attributed to 'the Sui Foundation' when it was conducted by Asymptotic, a partner firm. The core exploit narrative (date, mechanism, loss amount, 100% coverage) is well-supported. The page requires correction of the TVL year error and several partially-supported timeline details before the investigation can be approved.","score_delta":-20,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision d7a001d0-dce7-43f5-8cdc-58e063337821

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.