A flash loan exploit drained $142,000 from the Scallop lending protocol on Sui on April 26, the latest reminder that even newer chains with strong technical claims remain vulnerable to the same smart contract flaws that plague DeFi.
The attack follows the standard playbook for lending protocol hacks. The attacker used a flash loan to manipulate Scallop's oracle price feeds, borrow assets at artificially depressed rates, and repay the loan in the same transaction, pocketing the difference. On-chain analysis showed the exploit hit the SUI/USDC pool, with funds routed through Tornado Cash equivalents on Sui. The protocol paused operations immediately after detection and posted an incident report confirming the loss figure. Team lead Kris Lai confirmed the attacker contacted them offering to return 80% of funds for a white-hat bounty, a negotiation that remains ongoing.
April 2026 has been brutal for DeFi. The Kelp DAO rsETH attack earlier in the month cost $67 million, followed by exploits on Mantra Chain ($11m), Lista DAO ($32m), and now Scallop. Total losses top $300 million. Sui, with its object-centric model and parallel execution claims, had positioned itself as a more secure alternative to Ethereum or Solana. TVL hit $1.2 billion this quarter. That growth made it a target. Security does not scale linearly with TVL.
Sui's technical advantages , Move language for resource safety, no reentrancy risks , did not prevent the oracle manipulation. Flash loans are a core DeFi primitive, but they amplify any oracle weakness. Scallop had audits from OtterSec and MoveBit. Those reviews missed the edge case the attacker exploited. The incident underscores a pattern: protocols add flash loan support to boost utility, but the added complexity creates new attack surfaces. Sui's high throughput made the manipulation cheaper and faster to execute than on slower chains.
The choice of Sui mattered less than the protocol design. Lending markets live or die by oracle reliability. Time-weighted average price feeds, chainlink integration, and multi-oracle setups are table stakes now. Scallop used a custom oracle. That decision, combined with flash loan integration, proved fatal. Startups evaluating Sui should note that its parallelism helps throughput but does not eliminate shared vulnerabilities like oracle attacks.
Lessons for DeFi builders
For teams building on Sui or any L1, the exploit reinforces that audits are necessary but insufficient. Formal verification in Move helps, but human reviewers still miss novel interactions. Red team competitions, like those run by Immunefi, catch more than static audits. Scallop's TVL grew 4x in six months. Security scaling lagged. The pattern repeats across chains: growth outpaces hardening.
Investors face a clearer signal. Protocols with $100m+ TVL need battle-tested oracle designs and insurance funds. Uninsured exploits like this one hit token holders hardest. SCA dropped 12% post-exploit. Recovery depends on the white-hat negotiation and protocol fixes. Sui Foundation support helps, but does not replace robust design.
The bigger picture for DeFi is stagnation on core risks. Smart contract bugs remain unsolved after years. Restaking, intents, and AI agents add layers without fixing the base layer. Builders succeed by prioritising simplicity over features. Flash loans enable arbitrage but invite attacks. Weigh that trade-off explicitly. Sui's promise holds, but only if protocols treat security as the constraint, not TVL growth.
Also read: Litecoin's 13-block reorg is the worst attack on a top-20 crypto network in five years and the damage goes beyond the double spends • Alchemy's CEO says crypto was never really built for humans and AI agents will prove it • Solana Foundation is lending USDT into Aave and bringing the AAVE token to Solana as DeFi's biggest lending protocol fights for its footing
