Scallop Protocol, a lending platform built on the Sui blockchain, suffered a flash‑loan exploit on Sunday that resulted in the loss of approximately $142,000, equivalent to 150,000 SUI making this a second exploit so far after the KelpDAO exploit. Early reports indicate the attack was the result of a highly targeted oracle manipulation, allowing the exploiter to drain funds without interacting with Scallop’s core contracts.
A Precision Exploit on a Deprecated Contract
According to the post on X, the attacker did not compromise Scallop’s main protocol logic. Instead, they exploited a deprecated side contract—a component no longer meant to be in active use but still accessible on-chain. This overlooked contract became the attack vector, revealing what analysts are calling a deeper design flaw in the protocol’s architecture.
The exploit combined:
- A flash loan, providing the attacker with temporary capital
- Oracle manipulation, enabling them to distort asset pricing
- A deprecated contract, which lacked updated safeguards
This combination allowed the attacker to artificially influence price feeds and extract value before the system could react.
Why This Attack Matters
While the dollar amount is relatively small compared to major DeFi exploits, the nature of the attack raises important concerns:
1. Deprecated Contracts Remain a Hidden Liability
Even when no longer in use, old contracts can remain callable on-chain. If not properly disabled or migrated, they become silent attack surfaces.
2. Oracle Manipulation Remains a Top DeFi Threat
Manipulating price feeds—especially in low‑liquidity environments—continues to be one of the most common and effective exploit strategies.
3. Sui Ecosystem Security Under Scrutiny
As Sui-based protocols grow, attackers are increasingly probing for weak points in newer ecosystems.
Community and Market Reaction
The exploit was quickly flagged by crypto news aggregators and security analysts. While Scallop has not yet released a full post‑mortem, the community is already calling for:
- A comprehensive audit of all legacy and deprecated contracts
- Stronger oracle protections
- A formal incident response plan
Despite the breach, there is no indication that Scallop’s primary lending pools or user deposits were directly compromised.
What Comes Next
A full technical breakdown is expected once Scallop completes its internal investigation. The key questions now are:
- How long was the deprecated contract left active?
- Why was it not decommissioned or permission‑restricted?
- What changes will be implemented to prevent similar exploits?
For now, the incident serves as a reminder that DeFi security is only as strong as its oldest, least‑maintained component.
