Audit log

Every state-changing event for Volo Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-14 23:19:55Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 426,514,991

   sig

   4p3iH5Sae9F9…qUqnyg1xcopyexplorer ↗

   hash

   FMgKpL7ZVN81…ejCgdnJ5copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (18006 B) ▸

   {"actor":"system:backfill","investigation_id":"0c625ed3-6bc1-4649-a726-569f64e5e919","kind":"publish","page_slug":"volo-protocol","published_at":"2026-06-14T23:19:55.000Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Volo Protocol","sections":[{"content":"Volo Protocol is a decentralized liquid staking platform on the Sui blockchain. Users deposit SUI tokens and receive voloSUI (vSUI), a liquid staking token that accrues staking rewards while remaining usable across Sui DeFi applications. Beyond liquid staking, Volo expanded into multi-asset yield vaults, including products holding wrapped Bitcoin (WBTC), tokenized gold (XAUm from Matrixdock), and USDC. The protocol ranked first in the Sui Foundation's Liquid Staking Hackathon. According to CoinMarketCap and search-aggregated data, Volo's peak TVL in its liquid staking segment was reported at approximately $50 million, with an additional $28 million in vault products remaining unaffected after the April 2026 exploit. DefiLlama data places Volo as a smaller participant in Sui's LST ecosystem compared to SpringSui and Haedal Protocol.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Volo Staked SUI price today, VSUI to USD live price, marketcap and chart","type":"other","url":"https://coinmarketcap.com/currencies/volo-staked-sui/"},{"credibility":2,"name":"Volo LST TVL Stats and Charts - DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/volo-lst"},{"credibility":2,"name":"Liquid Staking 101 - Volo DAO GitBook","type":"official","url":"https://volosui.gitbook.io/volo/liquid-staking/liquid-staking-101"}]},{"content":"Volo Protocol was acquired by NAVI Protocol in January 2024, in what was described as the first combined borrowing, lending, and liquid staking integration on the Sui network. Following the acquisition, the Volo team joined NAVI Protocol. NAVI positioned voloSUI as the core liquid staking token for its ecosystem, enabling users to stake SUI, receive vSUI, and deploy that collateral within NAVI's lending markets. The acquisition was publicly announced by NAVI Protocol via official channels. No financial terms of the acquisition were publicly disclosed.","heading":"Ownership and Acquisition","severity":"low","sources":[{"credibility":2,"name":"NAVI Protocol Acquires Liquid Staking Protocol Volo - Medium","type":"official","url":"https://medium.com/@navi.protocol/navi-protocol-acquires-liquid-staking-protocol-volo-55ca7925f7c9"},{"credibility":3,"name":"NAVI Protocol on X announcing Volo acquisition","type":"social_media","url":"https://x.com/navi_protocol/status/1747578883472269721"},{"credibility":3,"name":"NAVI Protocol acquires Volo staking protocol - AiCoin","type":"news_article","url":"https://www.aicoin.com/en/article/385497"}]},{"content":"Prior to the April 2026 exploit, Volo's smart contracts underwent five formal security audits across four firms. The initial audit set was completed in late 2023: Movebit (September 7, 2023), Hacken (September 22, 2023), and OtterSec (October 1, 2023). A second round of audits covering V2 incremental changes was conducted in April 2025 by Movebit and Veridise. Audit reports are listed in Volo's official documentation. Importantly, security firms analyzing the April 2026 exploit — including GoPlus Security, ExVul, and Bitslab — attributed the breach to a compromised privileged operator key rather than a flaw in the audited smart contract code, suggesting the audited contracts themselves remained uncompromised.","heading":"Security Audits","severity":"medium","sources":[{"credibility":2,"name":"Contract Audits - Volo DAO GitBook","type":"official","url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"credibility":2,"name":"Volo Protocol Exploit: Critical $3.5M Breach Rocks Sui Network - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/63a0c-volo-protocol-sui-exploit-details"}]},{"content":"On April 22, 2026, Volo Protocol confirmed a security breach that drained approximately $3.5 million from three of its yield vaults on the Sui blockchain. The affected vaults held wrapped Bitcoin (WBTC, approximately $2.1 million), Matrixdock tokenized gold XAUm (approximately $0.9 million), and USDC (approximately $0.5 million). The remaining $28 million in TVL across unaffected vaults was not drained. The Volo team detected the attack, immediately halted all vaults, notified the Sui Foundation, and coordinated with ecosystem partners to trace and freeze assets. Within approximately 30 minutes of public disclosure, roughly $500,000 in stolen assets — including 19.6 WBTC that attackers attempted to bridge out — was frozen through partner platform coordination. The remaining approximately $3 million remained unrecovered at time of reporting. Independent security researchers from GoPlus Security, ExVul, and Bitslab alleged the breach stemmed from a compromised high-privilege vault admin private key, likely via social engineering or credential theft, rather than a vulnerability in the audited smart contract code. Volo confirmed the exploit vector appeared isolated to the three affected vault strategies and stated a full post-mortem was forthcoming. The incident occurred days after the KelpDAO exploit, which drained $292 million, amid a broader streak of DeFi hacks in April 2026.","heading":"April 2026 Exploit","severity":"critical","sources":[{"credibility":1,"name":"Volo Protocol loses $3.5 million in exploit days after KelpDAO breach - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/22/another-defi-protocol-loses-millions-in-hack-days-after-kelpdao-breach"},{"credibility":1,"name":"Sui-based Volo Protocol exploited; team pledges to absorb losses - The Block","type":"news_article","url":"https://www.theblock.co/post/398393/sui-volo-protocol-exploited"},{"credibility":2,"name":"Volo Protocol Confirms $3.5M Sui Vault Exploit, ~$500K Already Frozen - BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/22/volo-protocol-confirms-3-5m-sui-vault-exploit-500k-already-frozen/"},{"credibility":2,"name":"SUI Crypto DeFi Protocol Volo Exploited as Team Commits to Absorbing User Losses - CryptoNews","type":"news_article","url":"https://cryptonews.com/news/sui-volo-protocol-exploited-team-absorbs-losses/"},{"credibility":2,"name":"Volo Protocol on Sui Hacked for $3.5M, Team Blocks $500K - Bitcoin Foundation News","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/volo-hacked/"},{"credibility":2,"name":"DeFi Security Suffers New Blow With $3 Million Volo Exploit - PYMNTS","type":"news_article","url":"https://www.pymnts.com/news/security-and-risk/2026/defi-security-suffers-new-blow-with-3-million-volo-exploit/"},{"credibility":2,"name":"Volo Protocol Security Breach: $3.5M Drained From Sui-Based Liquid Staking Platform - Blockonomi","type":"news_article","url":"https://blockonomi.com/volo-protocol-security-breach-3-5m-drained-from-sui-based-liquid-staking-platform/"},{"credibility":2,"name":"Volo Protocol CoinMarketCap Exploit Report","type":"news_article","url":"https://coinmarketcap.com/academy/article/volo-protocol-loses-dollar35m-in-exploit-targeting-three-sui-vaults"}]},{"content":"Following the April 2026 exploit, Volo's team publicly committed to absorbing the full $3.5 million loss without passing costs to affected users. The team stated it would publish a remediation plan explaining how and when it would make affected users whole, but no specific timeline was disclosed in initial communications. As of available reporting, no post-mortem has been published and no reimbursement mechanism had been implemented. The team froze all vaults following the breach and coordinated with the Sui Foundation and ecosystem partners. Approximately $500,000 was frozen on-chain; the recovery status of the remaining $3 million was not confirmed in available sources. The team's commitment to absorb losses rather than socialize them to liquidity providers is noted as a positive operational response, though the absence of a detailed post-mortem or reimbursement timeline represents an open risk to affected users.","heading":"Team Response and Reimbursement","severity":"high","sources":[{"credibility":2,"name":"Volo Protocol Loses $3.5 Million in Vault Exploit, Team Pledges Full User Reimbursement - The Currency Analytics","type":"news_article","url":"https://thecurrencyanalytics.com/stable-coins/volo-protocol-loses-3-5-million-in-vault-exploit-team-pledges-full-user-reimbursement-254311"},{"credibility":2,"name":"Sui DeFi Hit: Volo Protocol Loses $3.5M in Vault Exploit - CoinLaw","type":"news_article","url":"https://coinlaw.io/volo-protocol-3-5m-sui-defi-vault-exploit/"},{"credibility":2,"name":"Volo Protocol Suffered a $3.5M Exploit Targeting Sui Blockchain - Tekedia","type":"news_article","url":"https://www.tekedia.com/volo-protocol-suffered-a-3-5m-exploit-targeting-sui-blockchain/"}]},{"content":"The alleged root cause of the April 2026 exploit — a compromised privileged operator key rather than a smart contract vulnerability — raises operational security concerns distinct from code quality. If confirmed by Volo's forthcoming post-mortem, the breach would indicate that key management practices for high-privilege vault admin accounts were insufficient, potentially exposing users to risks not mitigated by smart contract audits. This class of risk (privileged key compromise) is a known vector in DeFi vault products and is generally not addressed by standard code audits. No information about Volo's key management architecture, multi-sig requirements, or hardware security module usage was available in public documentation at time of writing. The team's failure to publish a post-mortem within the timeframe covered by available reporting is also noted.","heading":"Operational Security Concerns","severity":"high","sources":[{"credibility":2,"name":"Volo Protocol Exploit: Critical $3.5M Breach Rocks Sui Network - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/63a0c-volo-protocol-sui-exploit-details"},{"credibility":2,"name":"Volo DeFi Faces $3.5M Security Breach: A Close Look - WEEX","type":"news_article","url":"https://www.weex.com/news/detail/volo-defi-faces-35m-security-breach-a-close-look-700622"},{"credibility":3,"name":"Volo Exploit Raises Security Concerns Across Sui DeFi Ecosystem - CryptoBreaking","type":"news_article","url":"https://www.cryptobreaking.com/volo-exploit-raises-security-concerns/"}]},{"content":"No regulatory actions, SEC filings, CFTC enforcement, DOJ proceedings, or court filings involving Volo Protocol were identified in available sources. The protocol does not appear on OFAC sanctions lists based on available information. No class action lawsuits or formal legal complaints by affected users were identified. The absence of regulatory action should not be interpreted as a clean bill of health, particularly given the unresolved exploit and pending post-mortem.","heading":"Regulatory and Legal Status","severity":"low","sources":[]}],"sources_used":[{"credibility":1,"name":"Volo Protocol loses $3.5 million in exploit days after KelpDAO breach - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/22/another-defi-protocol-loses-millions-in-hack-days-after-kelpdao-breach"},{"credibility":1,"name":"Sui-based Volo Protocol exploited; team pledges to absorb losses - The Block","type":"news_article","url":"https://www.theblock.co/post/398393/sui-volo-protocol-exploited"},{"credibility":2,"name":"Volo Protocol Confirms $3.5M Sui Vault Exploit, ~$500K Already Frozen - BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/22/volo-protocol-confirms-3-5m-sui-vault-exploit-500k-already-frozen/"},{"credibility":2,"name":"SUI Crypto DeFi Protocol Volo Exploited as Team Commits to Absorbing User Losses - CryptoNews","type":"news_article","url":"https://cryptonews.com/news/sui-volo-protocol-exploited-team-absorbs-losses/"},{"credibility":2,"name":"SUI Crypto DeFi Protocol Volo Exploited - Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/sui-crypto-defi-protocol-volo-154550226.html"},{"credibility":2,"name":"Volo Protocol on Sui Hacked for $3.5M, Team Blocks $500K - Bitcoin Foundation News","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/volo-hacked/"},{"credibility":2,"name":"Volo Protocol Exploit: Critical $3.5M Breach Rocks Sui Network - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/63a0c-volo-protocol-sui-exploit-details"},{"credibility":2,"name":"Volo Protocol Loses $3.5M in DeFi Security Breach - Phemex","type":"news_article","url":"https://phemex.com/news/article/volo-protocol-suffers-35m-loss-in-defi-security-breach-75185"},{"credibility":2,"name":"DeFi Security Suffers New Blow With $3 Million Volo Exploit - PYMNTS","type":"news_article","url":"https://www.pymnts.com/news/security-and-risk/2026/defi-security-suffers-new-blow-with-3-million-volo-exploit/"},{"credibility":2,"name":"Volo Protocol Security Breach: $3.5M Drained From Sui-Based Liquid Staking Platform - Blockonomi","type":"news_article","url":"https://blockonomi.com/volo-protocol-security-breach-3-5m-drained-from-sui-based-liquid-staking-platform/"},{"credibility":2,"name":"Volo Protocol Loses $3.5 Million in Vault Exploit, Team Pledges Full User Reimbursement - The Currency Analytics","type":"news_article","url":"https://thecurrencyanalytics.com/stable-coins/volo-protocol-loses-3-5-million-in-vault-exploit-team-pledges-full-user-reimbursement-254311"},{"credibility":2,"name":"Volo Protocol CoinMarketCap Exploit Report","type":"news_article","url":"https://coinmarketcap.com/academy/article/volo-protocol-loses-dollar35m-in-exploit-targeting-three-sui-vaults"},{"credibility":2,"name":"NAVI Protocol Acquires Liquid Staking Protocol Volo - Medium","type":"official","url":"https://medium.com/@navi.protocol/navi-protocol-acquires-liquid-staking-protocol-volo-55ca7925f7c9"},{"credibility":2,"name":"Contract Audits - Volo DAO GitBook","type":"official","url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"credibility":2,"name":"Volo LST TVL Stats and Charts - DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/volo-lst"},{"credibility":2,"name":"Volo Staked SUI price today - CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/volo-staked-sui/"},{"credibility":3,"name":"Volo Exploit Raises Security Concerns Across Sui DeFi Ecosystem - CryptoBreaking","type":"news_article","url":"https://www.cryptobreaking.com/volo-exploit-raises-security-concerns/"},{"credibility":2,"name":"Sui DeFi Hit: Volo Protocol Loses $3.5M in Vault Exploit - CoinLaw","type":"news_article","url":"https://coinlaw.io/volo-protocol-3-5m-sui-defi-vault-exploit/"},{"credibility":2,"name":"Volo Protocol Suffered a $3.5M Exploit Targeting Sui Blockchain - Tekedia","type":"news_article","url":"https://www.tekedia.com/volo-protocol-suffered-a-3-5m-exploit-targeting-sui-blockchain/"},{"credibility":3,"name":"Volo's $3.5M Breach: A Flow Test for Sui's Security and TVL - AInvest","type":"news_article","url":"https://www.ainvest.com/news/volo-3-5m-breach-flow-test-sui-security-tvl-2604/"}],"summary":"Volo Protocol is a liquid staking and DeFi vaults platform built on the Sui blockchain, offering voloSUI (vSUI) as a liquid staking token and multi-asset yield vaults. In January 2024, it was acquired by NAVI Protocol, a leading Sui lending protocol. On April 22, 2026, Volo suffered a $3.5 million exploit targeting three isolated vaults holding WBTC, XAUm, and USDC; the team pledged to absorb all user losses and approximately $500,000 was frozen on-chain, while the root cause — attributed by security researchers to a compromised privileged operator key rather than a smart contract flaw — remained under investigation at time of writing.","timeline":[{"date":"2023-07-01","event":"Volo Protocol launches on Sui blockchain with liquid staking product voloSUI; wins first place at Sui Foundation Liquid Staking Hackathon.","source":"Volo DAO GitBook and CoinMarketCap","source_url":"https://coinmarketcap.com/currencies/volo-staked-sui/"},{"date":"2023-09-07","event":"Movebit completes first smart contract audit of Volo Protocol.","source":"Volo DAO GitBook - Contract Audits","source_url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"date":"2023-09-22","event":"Hacken completes smart contract audit of Volo Protocol.","source":"Volo DAO GitBook - Contract Audits","source_url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"date":"2023-10-01","event":"OtterSec completes smart contract audit of Volo Protocol.","source":"Volo DAO GitBook - Contract Audits","source_url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"date":"2024-01-17","event":"NAVI Protocol announces acquisition of Volo Protocol, integrating voloSUI into its lending and borrowing ecosystem on Sui.","source":"NAVI Protocol - Medium","source_url":"https://medium.com/@navi.protocol/navi-protocol-acquires-liquid-staking-protocol-volo-55ca7925f7c9"},{"date":"2025-04-01","event":"Movebit and Veridise complete V2 increment audits of Volo Protocol smart contracts.","source":"Volo DAO GitBook - Contract Audits","source_url":"https://volosui.gitbook.io/volo/liquid-staking/contract-audits"},{"date":"2026-04-22","event":"Volo Protocol suffers a $3.5 million exploit targeting WBTC, XAUm, and USDC vaults on Sui. Team halts all vaults, notifies Sui Foundation, freezes approximately $500,000 in stolen assets on-chain. Team pledges to absorb all user losses.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/04/22/another-defi-protocol-loses-millions-in-hack-days-after-kelpdao-breach"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 184ed510-f64a-4e37-8093-1e933ba36176copy