How Scallop Secures its Lending Protocol with Blockaid's Onchain Monitoring

About Scallop

Scallop is one of the largest DeFi lending protocols on Sui, managing pools across 23 assets with approximately $130M in TVL. The protocol supports thousands of users borrowing, repaying, and earning yield in real-time, with a small core team of engineers responsible for keeping every pool, oracle feed, and privileged function safe.

The challenges

Before engaging Blockaid in October 2025, Scallop's security monitoring relied almost entirely on Telegram alerts fired from internal scripts. Detection was home-grown. Onchain response was manual. And threat surface coverage was limited.

On its path to scaling across 23 assets and nine-figure TVL, the engineering team recognized three structural problems:

First, the threat surface would expand faster than the team could manually cover. A DeFi lending protocol is attacked through oracle manipulation, flash-loan abuse, unauthorized admin access, and insider threats, each requiring distinct detection logic. A single missed vector can drain a pool in one block.

Second, the team had limited in-house cybersecurity expertise. The challenge was knowing which attack patterns to watch for and what thresholds to set. Without that expertise, any monitoring system Scallop built in-house would be a guess at its own threat model.

Third, nearly every available security tool was designed EVM-first. Sui's object model, dynamic fields, and Programmable Transaction Block architecture are structurally different. Tools built on EVM assumptions could not see inside Scallop's protocol with the fidelity needed to detect, let alone automatically respond to, a live exploit on Sui.

The consequences

Eliminating these challenges by automating an in-house solution was estimated to take 9+ months of work for a team of 3-5 engineers, a direct cost of $250,000, and the loss of strategic development focus on scaling the protocol. Every moment without a solution was also putting Scallop's reputation and TVL at risk.

1. Establishing a baseline security framework, setting up, and testing the infrastructure would consume the engineering team’s capacity for 3 months. 
2. Iterating, tuning and maintaining infrastructure would require an additional 3-5 engineers full time for 6 months. 
3. Without automated security monitoring, detection and response, Scallop would have $130M+ uninsured against any attack, damaging trust with users and impacting its ability to scale. 

What Scallop needed from a solution

Scallop evaluated multiple vendors against a specific set of capabilities. A viable solution needed to deliver:

1. Native Sui fluency: Detection had to operate directly on Sui's object model, dynamic fields, and Programmable Transaction Blocks, not a retrofitted EVM abstraction that loses fidelity on Move-based protocols. Most competing platforms could not monitor Sui with the depth Scallop required.
2. Granular, configurable detection logic: Engineers needed the ability to define custom monitors at a fine grain, e.g., a conversion-rate spike of >5% within a 15-minute window, or a single-transaction outflow exceeding 5M units. Rigid, template-driven products could not express the specific behaviors Scallop cared about.
3. Automated onchain response: The ability to programmatically execute a Move call to pause the protocol the moment a high-confidence threat was detected, removing the human-in-the-loop dependency that made MTTR unpredictable.
4. Coverage across three threat categories: Financial manipulation (oracles, flash loans, pool health), operational and insider threat (privileged function misuse, unauthorized registry changes), and behavioral anomalies that don't match any predefined rule.
5. A security partnership that filled the in-house expertise gap: Given the team's limited expertise with attack patterns and thresholds, Scallop needed a vendor that would co-develop detection logic, not hand over a dashboard and walk away. Blockaid's in-house security team and its analysis of 180+ historical DeFi incidents closed this gap directly.
6. An AI-agent integration path (MCP): Blockaid's MCP connector allowed Scallop's team to rapidly deploy and refine monitors with AI agents. This was considered "game-changing" for the speed at which detection logic could evolve.

Blockaid was selected as the only vendor meeting all six criteria for a Sui-native lending protocol of Scallop's scale.

The solution Blockaid delivered

Blockaid partnered closely with Scallop, drawing on analysis of 180+ historical DeFi incidents, to build a monitoring system purpose-built for Scallop's threat model on Sui. The engagement ran from onboarding in October 2025, through requirements and roadmap sessions in November, technical kickoff and integration in January 2026, and go-live across all 23 assets shortly after, with weekly syncs continuing through the current steady state.

1. Financial manipulation detection: Cross-oracle comparison against an independent price feed, large borrow and flash-loan threshold monitoring, pool reserve and TVL integrity checks, sCoin peg stability tracking, and conversion-rate spike detection (e.g., >5% movement within a 15-minute window), catching weaponization of valid protocol mechanics in real time.
2. Operational and insider threat monitoring: Caller authorization checks on every privileged function, driven by a Scallop-maintained registry of package IDs, function signatures, and expected caller addresses. Risk parameter sanity checks against safe thresholds. Detection of unauthorized oracle registry modifications. This is the category most platforms do not cover and the one that protects against compromised keys and rogue insiders.
3. Behavioral anomaly detection: Blockaid's ML layer analyzes onchain behavior across all categories, surfacing threats that don't match any known rule. Blockaid's in-house security engineers review signals and reach out directly when something looks materially wrong, turning the product into an extension of Scallop's security team rather than a tool it has to operate alone.
4. Automated incident response: Move-call execution is integrated into the platform, allowing Scallop to automatically pause the protocol the moment a high-confidence threat is detected, for example, an outflow of more than 5M units in under 5 minutes. Severity-tiered alerts route through Telegram and PagerDuty with escalation to Nathan, Donnie, and Chris.

Outcomes

Since Q1-2026 implementation, Scallop has achieved

• MTTD under 1 minute from any anomalous onchain event
• MTTR of ~1 minute from alert to automated on-chain containment via Move call
• $250k+ direct engineering cost avoided with additional opportunity costs avoided in maintaining in-house focus on protocol development rather than security expertise
• $130M+ TVL under continuous, full-stack monitoring, with financial, operational, and behavioral threat surfaces covered 24/7, with no coverage gaps.
• Full insider-threat coverage across all privileged functions, a category with effectively zero coverage under the prior state, now continuously monitored via caller-authorization checks on every sensitive call.
• The engineering team is no longer the first line of alert triage, with monitoring, pattern identification, and threshold tuning co-developed with Blockaid's security engineers, freeing capacity to focus on protocol development.

Real-world proof

On April 26, 2026, a smart contract logic flaw in Scallop's spool reward distributor allowed a new account to claim the entire historical reward balance of the pool in one transaction. ~$143k was drained. Blockaid’s security research team detected and alerted Scallop and Sui in real-time and Scallop froze the protocol in a minute, preventing an additional ~$46K in losses.

For in-depth coverage of the incident, read more on Blockaid’s blog. 

In the customer's words

“Blockaid’s collaboration model is one of the strongest aspects of our entire platform evaluation. Blockaid not only proactively studied our protocol logic, but also provided engineering-level insights and helped us prepare production quality monitoring logic” – Peter Lin, Lead Smart Contract Engineer, Scallop

“Blockaid helped us secure our users’ funds by providing immediate alerts and responding quickly. Their support throughout our April 2026 security incident was very helpful, and the team kept us updated regularly. A best-in-class monitoring system for Sui.” –Nathan Ramil, co-founder and CEO, Scallop

Why this matters

Securing a DeFi lending protocol on Sui requires detection across every surface an attacker can exploit, financial, operational, and behavioral, built natively for how Sui actually works, configurable to the protocol's specific rules, and paired with the security expertise a small in-house team cannot replicate alone. Blockaid delivered all four, closed the coverage gap that left $130M in TVL exposed, and caught a live insider-threat incident in production that a Telegram-alert baseline would have missed.