The old door was still unlocked

The contract was published in November 2023 and nobody had thought about it in over a year.

That is not unusual in DeFi. Protocols upgrade. Old versions get superseded. The team moves to V3, then V4, and the earlier code just sits there on the blockchain, unchanged and uncallable by the protocol itself, but still technically reachable by anyone who knows where to look. On the Sui Network, smart contract packages are immutable. That means once a package is deployed, it cannot be deleted or modified. It can only be superseded. The old door stays in the wall. The team just stops using it.

The Scallop team stopped using their V2 rewards contract sometime after November 2023. They had moved forward. The contract had not.

On the morning of April 26, 2026, someone found that door.

PART ONE: WHAT A DEPRECATED CONTRACT IS AND WHY IT MATTERS

A smart contract is code that lives on a blockchain and executes automatically when certain conditions are met. Think of it as a vending machine bolted to a wall. You put money in, you press a button, the machine gives you what it promised. The machine does not care who you are. It does not check your credentials. It checks whether you met the conditions written into it.

Scallop DeFi is a money market protocol on the Sui blockchain. A money market is a place where people can deposit digital assets to earn interest, or borrow digital assets by putting up collateral. It is similar in structure to a savings account or a lending window at a bank, but it runs entirely on code. No loan officer. No branch manager. The code decides.

Scallop had audited its code. Two firms, OtterSec and MoveBit, had reviewed the protocol. It had passed a full Sui Foundation audit in February 2025. On its website, Scallop described itself as offering "institutional-grade security." It had received a grant from the Sui Foundation. It had raised $3 million in a strategic investment round in early 2024. It was, by the measures the industry uses to signal seriousness, a serious project.

What none of those audits appear to have caught was the V2 rewards contract.

Specifically, they appear to have missed a variable called "last_index."

In a staking rewards system, the protocol needs to track how long each user has been staking, so it can calculate how much reward they have earned. The "last_index" counter is how the V2 contract did that tracking. When you staked your tokens, the contract was supposed to record the current index value at the moment you arrived, and use that as your starting point. When you later claimed your rewards, the contract would calculate the difference between the current index and your starting index and pay you accordingly.

The problem was that in the V2 contract, the "last_index" counter had never been initialized. That means it defaulted to zero. And if your starting point is zero, the contract calculates as if you have been staking since the very beginning of the rewards period.

The attacker on April 26 found a contract that still existed, that could still be called, that still had access to a rewards pool, and that contained a counter that had been sitting at zero for twenty months. They called the contract. The contract did the math it was built to do. It paid out what the math said they were owed.

The math said they were owed 150,000 SUI.

At the time, that was worth approximately $142,000.

The contract paid it.

PART TWO: THE MORNING OF APRIL 26

If you had SUI tokens staked in Scallop's sSUI pool on the morning of April 26, 2026, you woke up to something that felt like background noise at first.

A notification. A protocol announcement. The kind of update that usually means a new feature or a partnership or a governance vote. The kind of thing you swipe past.

This one said the sSUI spool had been frozen.

The word "spool" refers to the rewards distribution mechanism. A spool is what Scallop called the contract that tracked staking positions and paid out rewards. The sSUI spool was specifically the rewards contract for staked SUI tokens. When it was frozen, your rewards stopped accumulating. Your underlying deposit was not touched. Scallop would later confirm that core lending and borrowing pools were unaffected, that user deposits were safe.

But the SCA token, which is Scallop's own governance and utility token, dropped 12% in the hours after the announcement.

A 12% drop is not catastrophic in crypto. It is also not nothing. It is the market pricing in the possibility that something is more wrong than the team is saying. It is the market doing the thing markets do, which is moving before the full picture is clear.

Scallop posted to X at 9:50 AM Brasília time. The announcement was honest and fast. By 11:42 AM, less than two hours later, core operations had resumed. By the end of the day, the team had pledged to cover 100% of the losses from its own treasury.

Two hours from first post to resumed operations is not a slow response. In the context of April 2026, it was almost unusually clean.

That context matters. A lot.

PART THREE: APRIL 2026, WHICH WAS NOT A NORMAL MONTH

Scallop's exploit happened on a Saturday. By that Saturday, the month of April 2026 had already consumed more than half a billion dollars in DeFi losses.

April 1: Drift Protocol on Solana lost $285 million.

April 18: Kelp DAO on Ethereum lost $292 million. That one triggered a liquidity crisis on Aave, a much larger lending protocol. Within 48 hours, $8.45 billion in deposits had been withdrawn from Aave alone. Total value locked across all DeFi protocols dropped by more than $13 billion in that same window.

Earlier in April, Volo Protocol on Sui, the same blockchain as Scallop, had lost approximately $3.5 million in an exploit that also targeted auxiliary contracts rather than core lending pools.

On April 29, three days after the Scallop incident, Aftermath Protocol confirmed losses of approximately $1.14 million from an exploit affecting its perpetuals product.

By April 26, total DeFi losses for the month were reported at more than $606 million, with some estimates placing the number closer to $800 million depending on how certain incidents were categorized.

Trading volumes across DeFi dropped 18% in April. Insurance premiums for DeFi coverage rose 25%.

The Scallop loss of $142,000 is not large by these numbers. Placed next to Drift and Kelp, it is a rounding error. But the month of April 2026 is not a story about individual numbers. It is a story about a pattern. And the Scallop incident is a particular piece of that pattern, because its root cause was not a sophisticated attack. It was not a bridge vulnerability or an oracle manipulation or an access control failure at the protocol's core.

It was a door nobody closed.

PART FOUR: THE MACHINE THAT AUDITS DO NOT AUDIT

Here is the part that will not land easily if you have spent money on the premise that audits mean safety.

Scallop had been audited. Multiple times. By credible firms. The Sui Foundation had reviewed its code in February 2025. All of that happened. All of that is in the public record.

The V2 rewards contract was published in November 2023. It contained a flaw in a counter variable that allowed any caller to claim as if they had been staking since the beginning of time.

Whether the audits reviewed the V2 contract, or whether they focused only on the then-current production contracts, is described by Scallop as "under investigation." That phrasing is honest. It is also a quiet acknowledgment that audits have edges, and that the edges are exactly where the attacks find the opening.

In DeFi, a protocol does not get to delete its old code. It can stop using the code. It can build new code. But the old packages remain on the blockchain, immutable, until the protocol explicitly freezes or restricts access to them. If the developers do not think to do that, or do not know they need to, or assume that because the code is deprecated it is therefore harmless, the code sits there.

The Sui blockchain's immutability is a feature, not a bug. It means the code you deployed is the code that runs, forever, without anyone being able to alter it after the fact. That is supposed to make things more trustworthy. A contract that cannot be changed cannot be secretly changed by a bad actor after deployment. The problem is symmetrical: a contract that cannot be changed also cannot be quietly patched when someone discovers it has a flaw. And if the protocol has moved on to newer versions and is no longer actively monitoring the old ones, the old ones become what analysts are now calling "overlooked attack surfaces."

Nobody monitors the door they forgot they built.

The attacker on April 26 did not need to break in. They just needed to know where to look.

PART FIVE: THE 80 PERCENT OFFER

After the stolen SUI was moved through a mixing service on Sui, the attacker contacted Scallop's team.

The offer, as reported: return 80% of the stolen funds in exchange for a white-hat bounty. A "white-hat" in security language refers to an ethical hacker, someone who finds vulnerabilities and reports them rather than exploiting them fully. The 80% offer is the attacker's attempt to reframe what happened as a service rather than a theft. Keep 20% as a finder's fee. Return the rest. No hard feelings.

This framing is worth sitting with for a moment.

The attacker had already moved the funds through a mixer. A mixer is a service that pools transactions from multiple sources and redistributes them in a way designed to break the chain of traceability on the blockchain. If you want to understand where money went on a blockchain, you follow the transaction record. Mixers are built specifically to make that following harder. The attacker mixed the funds first and made the offer second.

Whether Scallop accepted the offer, or whether any funds were returned, is not confirmed in the available public record as of the date of this writing.

What is confirmed is that Scallop has pledged to cover the full loss from its own treasury. That is a meaningful commitment from a protocol that raised $3 million in early 2024 and has been operating as the first DeFi protocol to receive a Sui Foundation grant. Whether that treasury is sized to absorb this loss without affecting operations is an open question. The number is not large enough to be existential. But in a month where $600 million has already left the ecosystem, every signal matters.

PART SIX: WHAT YOU ARE LOOKING AT WHEN YOU SEE AN AUDIT BADGE

Read this slowly.

An audit is a review of code that was in scope at the time of the audit. It is not a review of code that was later deprecated and forgotten. It is not a living review that updates itself when the protocol changes. It is a snapshot. Someone looked at the code on a specific date and found what they found.

If the protocol later writes new code, the new code may or may not be audited. If the protocol retires old code, the retired code may or may not be reviewed for residual risk. If the protocol upgrades and leaves old packages deployed on an immutable blockchain, those packages remain callable whether anyone is watching them or not.

The audit badge on Scallop's security page listed OtterSec and MoveBit. Those are real firms. The Sui Foundation audit in February 2025 was a real audit. None of that information is false.

What is also true is that a contract published in November 2023 with an uninitialized counter variable remained callable on the Sui blockchain until the morning of April 26, 2026, when someone called it.

The audit badges and the open contract existed at the same time. Both were real. One of them cost Scallop $142,000.

This is not a critique of auditing firms. Audits are necessary. This is a description of what audits are, which is different from what users often believe audits are.

A lock on the front door does not secure a window left open in the basement.

PART SEVEN: THE PATTERN, NAMED PLAINLY

Drift. Kelp. Volo. Scallop. Aftermath.

Five protocols. Five exploits. Thirty days.

$606 million, at minimum, and the month is not finished.

The attacks are not all the same kind. Drift lost $285 million in what may involve different mechanics entirely. Kelp's $292 million loss triggered cascading withdrawals from Aave, a second-order effect that had nothing to do with Kelp's own contracts. Scallop lost $142,000 from a retired rewards contract that was never properly closed.

But the pattern underneath them is consistent: the attack always finds the edge. The place the developers were not watching. The contract they stopped thinking about. The variable they never initialized. The bridge they assumed was secure. The oracle they assumed was fresh.

DeFi is built on the premise that code is law and that code, written correctly, is safer than human institutions. That premise is not wrong. Code is auditable in ways that human judgment is not. A smart contract that is correctly written and correctly audited and correctly monitored is a remarkable thing.

The word that keeps failing is "correctly."

Correctly written. Correctly audited. Correctly monitored. And correctly retired, which means not merely stopped but explicitly closed, access revoked, old packages frozen, every door that was ever built either locked or walled over.

In a month that lost $606 million, the industry demonstrated that it is still learning what "correctly" means.

The Scallop team responded well. They were fast, transparent, and have pledged to make users whole. That matters. It is also not the point.

The point is that the contract was published in November 2023, and it contained an uninitialized counter, and nobody caught it in two and a half years of audits and operations, and on a Saturday morning in April 2026 someone found it in approximately the time it takes to search a deprecated package list on a public blockchain.

The trapdoor was always there. The team just did not know to board it over.

Neither did the auditors.

Neither, until that Saturday morning, did anyone.