TLDR:Scallop’s $140K loss came from a deprecated rewards contract, not its core lending protocol infrastructure.April 2026 has recorded 13 DeFi exploits, pushing total industry losses past $606M, the worst month since Bybit.Scallop passed a full Sui Foundation audit in February 2025, yet the deprecated contract remained an open risk.Experts recommend spreading funds, avoiding legacy contracts, and withdrawing rewards regularly to reduce exposure.Scallop, Sui’s largest lending protocol, suffered an exploit on April 26, 2026, resulting in approximately $140,000 in losses. The attack targeted a deprecated rewards contract rather than the core protocol itself. Following the breach, the Scallop team froze affected contracts, identified the vulnerability, and restored operations. User deposits remained unaffected throughout the incident. The event adds to a mounting list of DeFi exploits recorded in April 2026 alone.Deprecated Contract Becomes the Entry Point for AttackersThe Scallop exploit did not breach the protocol’s main infrastructure. Instead, the attacker found an opening in an old, unused rewards contract. This distinction matters, as it shows how legacy code can become a liability over time. Protocols often retire certain components without fully eliminating them from the network. SECURITY INCIDENT NOTICEWe have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI.The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool…— Scallop (@Scallop_io) April 26, 2026Scallop had completed a full audit conducted by the Sui Foundation in February 2025. Despite that review, the deprecated contract remained a weak link. Crypto analyst Crypto Patel noted on X that “audited does not mean safe,” pointing to Scallop and Kelp DAO as examples. Kelp DAO lost $292 million despite passing two separate audits before its breach.The Scallop team responded quickly by isolating the bug and pausing related contracts. Operations resumed shortly after, with the team confirming no user funds were at risk. The rapid response helped contain the damage to the deprecated component only. Still, the incident drew attention to how old contracts are increasingly being used as attack vectors.This pattern has become more common across the Sui ecosystem in recent months. Developers and security researchers have begun flagging unused contracts as a growing concern. Protocols that leave deprecated components active without proper deactivation face elevated risk. The Scallop case serves as a practical reference point for that ongoing conversation.April 2026 Records Worst Month for DeFi Losses Since BybitApril 2026 has proven to be a difficult month for the broader DeFi sector. Industry losses have crossed $606 million, making it the worst month since the Bybit incident. The Scallop exploit is the 13th recorded DeFi breach this month. That frequency points to a systemic challenge facing decentralized finance platforms.The Sui network, in particular, has seen repeated incidents over the past year. Cetus DEX lost $223 million in May 2025, followed by Nemo Protocol losing $2.4 million in September 2025. Volo Protocol was hit for $3.5 million on April 22, 2026, just days before the Scallop breach. These incidents reflect a recurring vulnerability pattern across Sui-based protocols.Risk management has become a pressing topic among DeFi participants. Crypto Patel recommended avoiding deprecated contracts and withdrawing rewards regularly rather than leaving them idle. Spreading funds across multiple protocols instead of concentrating them in one platform also reduces exposure. Monitoring official protocol announcements before making deposits adds another layer of protection.The broader DeFi community continues to examine how audit processes can be strengthened. Passing an audit does not guarantee a protocol is free of exploitable code, especially in legacy components. Ongoing security reviews that cover deprecated contracts are becoming a recommended practice. The events of April 2026 are likely to shape how protocols approach contract lifecycle management going forward.The post Scallop DeFi Exploit Exposes Deprecated Contract Risk Amid April 2026’s $606M Loss Streak appeared first on Blockonomi.