Another DeFi Protocol Hacked as Sui-Based Volo Hit by $3.5M Exploit

Volo’s recent breach illustrates the growing pains of DeFi projects built on newer layer‑1s such as Sui. The protocol, which lets users stake Sui tokens for voloSUI (VSUI) returns, suffered a targeted attack that drained approximately $3.5 million from three vaults. By swiftly freezing roughly $2 million—including a thwarted bridge of 19.6 WBTC, valued at about $590 k—Volo limited the fallout and protected the remaining $28 million locked across its platform. The incident also reveals that the exploit was confined to specific vaults, with no broader code flaw identified, allowing the team to consider covering the loss internally rather than passing it to users.

The Volo hack arrives on the heels of a massive $293 million compromise of Kelp, another Sui‑based liquid‑restaking protocol, signaling a pattern of attacks on this niche of DeFi. Across the sector, more than $17 billion has been siphoned in the past decade, with private‑key breaches, brute‑force attacks, and phishing accounting for the majority of losses. While protocol bugs remain a risk, the data suggests that user‑side security lapses—such as weak key management—are a leading cause, emphasizing the need for robust wallet practices alongside rigorous smart‑contract audits.

For investors and developers, Volo’s response offers a mixed lesson. The decision to absorb the loss may preserve user trust, yet the repeated targeting of liquid‑staking services could dampen enthusiasm for similar products until security standards improve. Industry participants are likely to double down on formal verification, bug‑bounty programs, and cross‑chain monitoring to detect suspicious movements early. As DeFi continues to expand onto emerging chains, the balance between innovation speed and security diligence will determine whether platforms can sustain growth without recurring high‑profile exploits.