Key Takeaways:
Volo Protocol lost $3.5 million from three Sui-based vaults on April 21, 2026, following a compromised admin private key. GoPlus Security and ExVul confirmed a privileged operator key breach, not a flaw in Volo’s audited smart contracts. Volo blocked the attacker’s 19.6 WBTC bridge attempt and is absorbing all losses, with vaults frozen pending post-mortem. Volo Protocol $3.5M Security Breach: What Happened on the Sui BlockchainVolo’s team detected the breach quickly. The team froze all vaults, notified the Sui Foundation, and began working with onchain investigators and ecosystem partners to trace and recover the stolen funds.
In a post on X, Volo stated it would absorb the full loss without passing costs to depositors. “Volo is prepared to absorb this loss. We will do our best not to pass this to our users,” the team wrote. A full post-mortem was promised once the investigation concludes.
“We are in damage control mode now, but once that’s done, we will work out a remediation plan, and a full breakdown will be shared shortly,” the team added.
Volo had previously completed audits with Ottersec, Movebit, and Hacken, and maintained an active bug bounty program at the time of the exploit. All vaults remain frozen. Volo and its partners are actively working to return the blocked WBTC to the protocol. A detailed remediation plan will accompany the forthcoming post-mortem.
Depositors in unaffected vaults have not reported losses. Volo’s team has directed users to the official @volo_sui account on X for real-time updates ahead of the full post-mortem publication.
