Sui DeFi Crisis: 4 Exploits Drain $6M in One Week

Alex Reeve April 29, 2026

4 min read

Four Sui-based DeFi protocols lost more than $6 million across seven days ending April 29, as attackers exploited deprecated rewards contracts and negative fee settings on the layer-1 blockchain.

Four Sui protocols lose $6 million in seven days as attackers exploit deprecated rewards contracts and negative fee logic.
April industry losses exceed $606 million following breaches at Aftermath Finance, Scallop, and Volo within the Sui DeFi ecosystem.
The Sui Network’s immutable contract structure turns stale code into active liabilities for developers who fail to implement version gating.

Listen to this article

READY

Days of Exploits Shake the Sui DeFi Ecosystem

The trouble started April 22. Volo, a liquid staking protocol on Sui, suffered a $3.5 million breach targeting three vaults holding Wrapped Bitcoin, Matrixdock Gold, and USDC. The protocol detected the attack quickly, notified the Sui Foundation, and froze affected vaults within hours. Within days, Volo claimed recovery of roughly 90 percent of the funds across multiple recovery actions.

But the breaches kept coming.

On April 26, Scallop, Sui’s largest lending protocol, lost 150,000 SUI, roughly $140,000 at the time. The attacker targeted a deprecated V2 rewards contract published in November 2023. On Sui, deployed packages are immutable. Old contract versions stay callable unless explicitly version gated.

The bug centered on an uninitialized last_index counter. The attacker staked roughly 136,000 sSUI, and the flawed math treated the position as if it had existed since the spool launched in August 2023. That generated around 162 trillion reward points, which redeemed one to one for 150,000 SUI from the rewards pool.

Advertisement · Press Release

Genuine News Deserves Honest Attention.

High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.

👉 Submit Your PR

Scallop froze the affected contract within minutes, resumed core operations within two hours, and pledged full reimbursement from its treasury. Core lending pools stayed untouched.

Then came Hop Exchange on April 28. Security monitor Scam Sniffer flagged cross-chain fund movements tied to the incident, though specific details remained limited.

The latest blow landed Wednesday. Aftermath Finance, a perpetuals trading platform accounting for roughly 12% of Sui’s total gas usage, lost $1.14 million USDC across 11 transactions in 36 minutes.

Flawed Fee Logic and Immutable Contracts

The Aftermath exploit did not target core smart contracts. Instead, the attacker exploited a logic flaw where the protocol allowed negative builder code fees to be set. Aftermath had built a system where developers and integrators could earn custom fees on trades routed through their integrations. The attacker abused that feature to artificially inflate synthetic collateral and withdraw excess funds from the protocol’s vaults.

The team paused the protocol and confirmed the exploit was limited to the Perps product. Swaps, staking and MEV infrastructure remained unaffected.

What the Pattern Reveals

April 2026 already recorded 13 DeFi exploits, pushing total industry losses past $606 million, according to blockchain security tracking. That makes April the worst month since the Bybit incident.

For Sui specifically, the chain saw multiple breaches over the past year. Cetus DEX lost $223 million in May 2025. Nemo Protocol lost $2.4 million in September 2025. Typus Finance suffered a breach in October 2025.

The common thread across this week’s exploits is not core protocol failure but peripheral code. Volo’s breach hit isolated vaults. Scallop’s attacker found an opening in a two-year-old rewards contract. Aftermath’s flaw sat in a fee customization feature meant to incentivize third-party builders.

Blockchain security monitoring firms noted that audits alone do not guarantee safety. Multiple audited protocols suffered significant breaches, including Kelp DAO, which lost $292 million despite passing two separate audits before its breach.

Chain Street’s Take

This is a hygiene problem, not an elite hacking problem. On Sui, old contracts do not get deactivated after upgrades. Immutability is a feature until it becomes a liability. These teams are not getting outsmarted by zero day hunters. They are losing to logic flaws that should have been caught in basic threat modeling and to deprecated code that should have been version gated or deactivated.

The rapid recovery from Volo and Scallop shows competence in crisis response. But the frequency of these incidents raises questions about security review standards across the Sui DeFi ecosystem. Until protocols start treating old contracts as active liabilities and stop offering negative fee parameters to unverified builders, the exploit pattern is likely to continue.

0views·1AI reads

CHAIN STREET INTELLIGENCE

Activate Intelligence Layer

Institutional-grade structural analysis for this article.

FAQ

Frequently Asked Questions

What is the Sui DeFi security crisis?

It is a series of four rapid-fire exploits targeting protocol logic on the Sui blockchain. Attackers drained over $6 million from Volo, Scallop, Aftermath Finance, and Hop Exchange within one week. This trend highlights systemic vulnerabilities in how peripheral smart contracts interact with the main layer-1 network.

Why does this matter for the Sui Network?

Frequent security breaches erode institutional trust in the Sui DeFi ecosystem and its underlying infrastructure. Aftermath Finance accounts for 12 percent of total gas usage, meaning its exploit directly impacts the chain's overall economic activity. Investors may migrate capital to more mature ecosystems if these peripheral logic flaws continue to manifest.

How did the Aftermath Finance exploit occur?

The attacker manipulated a flawed fee customization feature that permitted negative builder code fees to be set. This oversight allowed the exploiter to artificially inflate synthetic collateral and withdraw $1.14 million USDC from the protocol's vaults. The team successfully paused the Perps product within 36 minutes to prevent further asset depletion.

What are the risks of immutable contracts on Sui?

Deployed packages on the Sui blockchain stay callable forever unless developers proactively implement version gating or deactivation logic. The Scallop breach exploited a V2 rewards contract from November 2023 that remained accessible despite being deprecated. This architectural feature forces developers to treat every legacy contract as a potential permanent entry point for hackers.

What happens to the affected protocols?

Volo and Scallop have already initiated recovery actions or treasury reimbursements to protect their user bases. The Sui Foundation is currently coordinating with security monitors like Scam Sniffer to improve ecosystem-wide threat modeling. Future protocol launches will likely require stricter audits focused on peripheral logic and fee parameter sanitization.

Bitcoin Treasury Firms Face 'Darwinian Phase' as Unrealized Losses Mount

Four Exploits in Seven Days: The Sui DeFi Security Crisis