Executive Summary

On April 26, 2026, an attacker exploited a reward accumulator logic bug in Scallop Protocol's sSUI Spool contract on Sui Mainnet, draining the entire sSUI rewards pool of approximately 150,098 SUI (~$142,500) in a single transaction. The attacker deposited just 0.2 SUI as stake, then abused a missing validation check to generate 162 trillion fake reward points, enough to claim the pool's entire SUI balance.

Blockaid's Onchain Monitoring platform automatically detected the exploit in real time, flagging an unusual transaction pattern from a previously unseen wallet. Through automated workflows, that early detection gave Mysten Labs and Blockaid the window needed to coordinate with the Sui ecosystem to trace attacker fund flows, identify additional vulnerable contracts, freeze the attacker's address, and pause additional at-risk contracts, preventing ~$46K in further losses.

Blockaid has been a long-term security partner to the Sui ecosystem, providing chain-level coverage across tokens, assets, wallets, protocols, and transactions through its partnership with the Sui Foundation. This incident is a demonstration of what real-time detection and ecosystem-level response coordination looks like in practice.

Background: Scallop and the Spool Rewards System

Scallop is the leading lending and borrowing protocol in the Sui ecosystem, with over $22M in total value locked. It offers users the ability to supply assets, borrow against collateral, and earn yield, all built on Sui's Move-based smart contract architecture.

As part of its incentive structure, Scallop operates a system called Spools. Spools are reward distribution contracts that allow users who deposit assets into the protocol to earn SUI emissions over time. When a user deposits an asset like SUI, they receive a tokenized receipt (sSUI), and their associated SpoolAccount begins tracking their earned rewards based on an accumulating index, essentially a running tally of how many reward points the pool has issued per unit of stake since inception.

The math is straightforward when everything works correctly: the more you stake, and the longer you stake, the more reward points you accumulate, and the more SUI you can claim. What the attacker discovered is that not all of the validation guarding this math was in place.

The Exploit: How It Unfolded

1. The Attackers Setup

The attacker's wallet was funded with approximately 5.96 SUI from a CEX-derived hot wallet roughly four minutes before the exploit was executed. The preparation was minimal, no complex infrastructure, no bridge hops, no mixers involved in the setup phase. The vulnerability required only a small amount of SUI to trigger, making this an exceptionally low-cost attack relative to the damage it caused.

2. The Missing Validation

At the center of this exploit is a single missing validation in Scallop's spool::user::update_points function. Every other function in the Spool user module, stake, unstake, redeem_rewards, included a call to spool_account::assert_pool_id, which verifies that the SpoolAccount being used actually belongs to the Spool being passed in. update_points did not.

This meant an attacker could call update_points with any Spool as the spool argument and any SpoolAccount as the account argument, regardless of whether they were designed to work together.

3. Cross-Spool Index Manipulation

The attacker exploited this gap by pairing two completely unrelated objects:

• The sWETH Spool as the spool argument, a deprecated pool with almost no active staking but a massively inflated historical reward index of 891,301,263,052,871 (891 trillion), built up over the full lifetime of the pool's emissions.
• A fresh sSUI-bound SpoolAccount as the account argument, their own newly created account with an index of approximately 1,191,219,615 (1.19 billion).

When update_points ran, it computed the reward delta as:

delta = (sWETH_spool.index − account.index) × stakes / 1e9 = (891T − 1.19B) × 181,779,285 / 1e9 ≈ 162,019,889,778,297 points

By pointing the update function at a spool with a 700,000x larger index, the attacker's account was credited with the entire historical reward accumulation of the sWETH pool, 162 trillion points, for a stake position that had existed for zero seconds.

4. Draining the Rewards Pool

With 162 trillion fake points now sitting in their sSUI-bound SpoolAccount, the attacker called redeem_rewards. Because the SpoolAccount and the sSUI RewardsPool were legitimately bound to one another, the binding check passed. The contract had no way to know the points were fabricated, it simply honored what the account said it was owed.

The sSUI rewards pool's full SUI balance of 150,098.06 SUI (~$142,545) was transferred out in a single transaction. Post-transaction, the pool's reward balance read zero. User principal deposits in the lending markets were not touched, only the unclaimed SUI rewards were drained.

5. Fund Movement

Following the drain, the attacker routed funds through a series of hop wallets before consolidating into two primary addresses:

• 0x861284f9839a0334f8bbdbc4d9b254769ca74a5139636de9785ab2b7814dca9c, approximately 42,778 SUI, which became the primary freeze target
• 0x2dfb6927404f28940d0f2237054a230672d0e572e7a21a830dde5a7c8835ebbe, approximately 209,337 SUI, a large hot wallet receiving aggregated flows

Blockaid's team traced the fund movements in real time, identifying the original CEX funding source and the downstream consolidation pattern.

The Response: Real-Time Detection and Coordinated Containment

Blockaid's End User Protection platform automatically flagged an anomalous transaction on Scallop's Spool contracts, confirming the exploit as a smart contract logic bug rather than phishing or a wallet drainer. Blockaid immediately stepped in, standing up a war room and beginning coordination across multiple parties including the Scallop and Sui teams.

Because SUI is the native asset of the Sui network, there is no issuer-level freeze capability built into the token itself. Containing the funds required action at the network level. Blockaid worked directly with Mysten Labs to request a freeze on the primary attacker address 0x861284f9839a0334f8bbdbc4d9b254769ca74a5139636de9785ab2b7814dca9c, which was actioned.

In parallel, Blockaid's Onchain Monitoring platform identified that the same missing validation existed in additional Spool contracts beyond the one that was drained. Working with Scallop, the team coordinated an emergency pause of the vulnerable contracts, protecting assets in additional reward pools before they could be drained. Blockaid's analysis also scanned the broader Scallop package ecosystem to surface any other contracts carrying the same vulnerability pattern, delivering findings to the Scallop and Mysten teams to inform their remediation decisions.

The result: approximately $46K in additional funds was protected from further exploitation.

Blockaid's Sui Partnership and Chain Support

Blockaid partnered with the Sui Foundation to strengthen ecosystem security and user protection on Sui. That partnership brings end-user protection to Sui wallets, detection and response capabilities for smart contract exploits and offchain threats, and threat intelligence research to track actors targeting the Sui ecosystem.

Scallop's relationship with Blockaid is a direct extension of that broader partnership. When this incident occurred, the infrastructure for detection, response coordination, and communication with Mysten Labs was already in place, which is why the team was able to move from first alert to active war room quickly.

Beyond Sui, Blockaid supports 50+ blockchain ecosystems through its product portfolio, including End User Protection, Onchain Monitoring, Crypto Fraud Prevention, and Cosigner. Those capabilities span wallets, exchanges, protocols, and chain infrastructure, giving Blockaid the cross-ecosystem visibility needed to detect threats early and coordinate responses across the ecosystem.

How Real-Time Onchain Monitoring Enables Rapid Containment

Blockaid's Onchain Monitoring caught this exploit fast and the coordinated response saved ~$46K that would otherwise have been drained. But it is worth being direct about the limits of post-execution detection: the initial 150,098 SUI was gone before the first alert fired. Monitoring is a critical layer, but it is not the only one.

The exploit that hit Scallop's rewards pool is a category of vulnerability, a reward accumulator initialization bug, that is identifiable at the transaction level before it executes. A transaction that deposits 0.2 SUI and withdraws 150,098 SUI from a shared pool in a single PTB, with the intermediate step of accruing 162 trillion reward points against an unrelated spool index, is not a normal transaction. It is deeply anomalous, and that anomaly is simulatable.

This is where pre-execution transaction simulation, the kind built into Blockaid's Onchain Monitoring platform for protocol-level coverage, becomes the preventive layer. Had Scallop's contracts been configured with a simulation and alerting policy that flagged reward redemptions exceeding a defined threshold relative to staked balance, or that flagged update_points calls pairing mismatched spool and account objects, the transaction could have been caught and blocked before it landed on-chain.

The lesson here is the same one that has come up across every major DeFi exploit of the past year: detection after execution is necessary, but insufficient on its own. The protocols that come through incidents intact are the ones that have layered monitoring at both the pre and post-execution level, with clear escalation paths to their chain partners when containment requires network-level action.

Conclusion

Smart contract security on Move-based chains like Sui is often framed as a solved problem. Move's type system and object model eliminate entire categories of vulnerabilities that have historically plagued EVM-based protocols. That framing is partially right. But as this incident shows, the attack surface in DeFi reward logic does not live in memory safety or reentrancy. It lives in the business logic: the assumptions a protocol makes about which objects can be paired with which, and whether those assumptions are enforced on every code path.

The Scallop sSUI Spool exploit was a single missing assertion. One line of validation absent from one function, while present in every other function in the same module. It cost 150,098 SUI. Blockaid's real-time detection and coordinated response with Mysten Labs and Scallop contained the damage and protected an additional ~$46K from being drained.

Sui is a high-growth ecosystem with meaningful DeFi TVL, institutional adoption, and a security infrastructure that is now battle-tested. This incident demonstrated that the detection and response infrastructure built through the Sui Foundation and Blockaid partnership works under live conditions. The next step is ensuring that more protocols within the ecosystem are operating with pre-execution monitoring in place, so that the first line of defense is stopping exploits before they execute, not just containing them after.

About Blockaid

Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3+ billion transactions and blocked 585+ million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.

Learn more at blockaid.io, and follow us on Twitter and LinkedIn.