Four Sui-based DeFi protocols lost more than $6 million across seven days ending April 29, as attackers exploited deprecated rewards contracts and negative fee settings on the layer-1 blockchain.
- Four Sui protocols lose $6 million in seven days as attackers exploit deprecated rewards contracts and negative fee logic.
- April industry losses exceed $606 million following breaches at Aftermath Finance, Scallop, and Volo within the Sui DeFi ecosystem.
- The Sui Network’s immutable contract structure turns stale code into active liabilities for developers who fail to implement version gating.
Days of Exploits Shake the Sui DeFi Ecosystem
The trouble started April 22. Volo, a liquid staking protocol on Sui, suffered a $3.5 million breach targeting three vaults holding Wrapped Bitcoin, Matrixdock Gold, and USDC. The protocol detected the attack quickly, notified the Sui Foundation, and froze affected vaults within hours. Within days, Volo claimed recovery of roughly 90 percent of the funds across multiple recovery actions.
But the breaches kept coming.
On April 26, Scallop, Sui’s largest lending protocol, lost 150,000 SUI, roughly $140,000 at the time. The attacker targeted a deprecated V2 rewards contract published in November 2023. On Sui, deployed packages are immutable. Old contract versions stay callable unless explicitly version gated.
The bug centered on an uninitialized last_index counter. The attacker staked roughly 136,000 sSUI, and the flawed math treated the position as if it had existed since the spool launched in August 2023. That generated around 162 trillion reward points, which redeemed one to one for 150,000 SUI from the rewards pool.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PRScallop froze the affected contract within minutes, resumed core operations within two hours, and pledged full reimbursement from its treasury. Core lending pools stayed untouched.
Then came Hop Exchange on April 28. Security monitor Scam Sniffer flagged cross-chain fund movements tied to the incident, though specific details remained limited.
The latest blow landed Wednesday. Aftermath Finance, a perpetuals trading platform accounting for roughly 12% of Sui’s total gas usage, lost $1.14 million USDC across 11 transactions in 36 minutes.
Flawed Fee Logic and Immutable Contracts
The Aftermath exploit did not target core smart contracts. Instead, the attacker exploited a logic flaw where the protocol allowed negative builder code fees to be set. Aftermath had built a system where developers and integrators could earn custom fees on trades routed through their integrations. The attacker abused that feature to artificially inflate synthetic collateral and withdraw excess funds from the protocol’s vaults.
The team paused the protocol and confirmed the exploit was limited to the Perps product. Swaps, staking and MEV infrastructure remained unaffected.
What the Pattern Reveals
April 2026 already recorded 13 DeFi exploits, pushing total industry losses past $606 million, according to blockchain security tracking. That makes April the worst month since the Bybit incident.
For Sui specifically, the chain saw multiple breaches over the past year. Cetus DEX lost $223 million in May 2025. Nemo Protocol lost $2.4 million in September 2025. Typus Finance suffered a breach in October 2025.
The common thread across this week’s exploits is not core protocol failure but peripheral code. Volo’s breach hit isolated vaults. Scallop’s attacker found an opening in a two-year-old rewards contract. Aftermath’s flaw sat in a fee customization feature meant to incentivize third-party builders.
Blockchain security monitoring firms noted that audits alone do not guarantee safety. Multiple audited protocols suffered significant breaches, including Kelp DAO, which lost $292 million despite passing two separate audits before its breach.
Chain Street’s Take
This is a hygiene problem, not an elite hacking problem. On Sui, old contracts do not get deactivated after upgrades. Immutability is a feature until it becomes a liability. These teams are not getting outsmarted by zero day hunters. They are losing to logic flaws that should have been caught in basic threat modeling and to deprecated code that should have been version gated or deactivated.
The rapid recovery from Volo and Scallop shows competence in crisis response. But the frequency of these incidents raises questions about security review standards across the Sui DeFi ecosystem. Until protocols start treating old contracts as active liabilities and stop offering negative fee parameters to unverified builders, the exploit pattern is likely to continue.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
