Volo Protocol, a Sui-based vault product, confirmed on April 22 that an attacker drained roughly $3.5 million from its contracts. About $500,000 has already been frozen as of this writing, which would imply a recovery rate near 14% if nothing else comes back.
The disclosure landed in the same week that a $292M bridge drain at KelpDAO dragged down Aave's TVL and forced the Arbitrum Security Council to freeze 30,766 ETH. Bitcoin traded at $77,585 (+2.5% over 24h) and ETH at $2,366 (+2.5%) as of April 22, 2026, with the Fear and Greed index sitting at 59 ("Neutral"), meaning the price tape is not flashing panic even as the protocol-side incident queue keeps filling.
What Volo actually does
Volo runs a liquid staking and yield product on Sui. Users deposit SUI or stablecoins into contract-managed vaults, and the protocol handles the validator routing, restaking logic, and reward accounting. The vaults are not custodial in the exchange sense, but depositors still hand permissions to smart contracts that move funds across validators and DeFi venues.
That design pattern is where most of 2026's mid-sized DeFi losses have come from. A deposit looks like self-custody because there is no KYC and no centralized operator holding your keys. In practice, the contract sitting between you and your capital is a single surface area. If one function is miswritten or one oracle is gamed, the outcome is indistinguishable from a hot wallet getting drained.
$500K frozen is not $500K recovered
The $500,000 figure in Volo's statement is the portion the team has been able to freeze, not the portion users will get back. Freezing typically means the attacker's remaining on-chain balance has been identified on a blockchain where there is a validator set or governance body willing to act, or that the funds were routed into a CEX that has cooperated with the trace.
On Sui specifically, validator-level freezes are possible but politically expensive. On Ethereum, KelpDAO's exploiter is already laundering roughly $80M in ETH through Thorchain, a cross-chain route that sidesteps centralized chokepoints entirely. If Volo's attacker moves the remaining ~$3M through a similar laundering path, the recoverable share could stay pinned near current levels.
The useful question for depositors is not whether $500K has been frozen. It is whether the remaining $3M is sitting somewhere a freeze can reach. Until the protocol publishes wallet addresses and a destination map, that question is open.
Why Sui keeps showing up in incident logs
Sui's TVL and app count have grown fast enough to attract the same attention Solana got in 2023: new primitives, fresh liquidity, thin audit coverage. The chain itself has not had a consensus-layer incident, but the surface area built on top of it is still maturing. Volo is not the first Sui vault product to be hit, and given the pace of new launches, it is unlikely to be the last.
That maturation problem is exactly why custody choices matter. Users who want Sui exposure without smart-contract risk have alternatives. Spending from your own wallet using a non-custodial card keeps the funds under your keys until the moment of authorization. Products integrated with Sui, including RedotPay's recent SUI and USDC-Sui spending support across 100+ countries, let holders spend without routing through a yield vault.
Questions the post-mortem needs to answer
Before depositors redeposit, Volo owes a public write-up on three specific things.
First, the contract function or oracle path that was exploited. Vague phrases like "vulnerability in our vault logic" are not enough. The DeFi community expects a diff of the affected code, the transaction hashes, and a timeline of how the attack sequenced.
Second, the chain-of-custody on the recovered $500K. If it was frozen on a CEX, name the CEX. If it was intercepted mid-flight by a whitehat, name the whitehat. Opacity at this stage is what historically turns a recoverable incident into a total loss.
Third, the reimbursement plan for the delta. $3M is small enough that the team could, in theory, cover it from treasury or insurance. It is also small enough to write off, which is what happens more often than people like to admit.
Overview
Volo Protocol confirmed a $3.5M exploit on its Sui-based vaults on April 22, with about $500K frozen so far. The remaining $3M is still in play, and the recovery path depends on where the attacker routes the funds next. For anyone parking capital in DeFi vaults, the incident is another data point that smart-contract risk and custodial risk converge when something breaks: the label on the deposit matters less than whether the contract's permissions are auditable and the team's response is public.
