In nine days, three Sui DeFi protocols got hit. Volo lost $3.5M on April 21. Scallop lost $142K on April 26. Aftermath Finance lost $1.14M USDC on April 29. Three different protocols, three different attack patterns, one shared root cause: nobody had a way to check the structural risk before signing. The three patterns Scallop : Sui packages don't disappear when you upgrade them. They get superseded — but the old version stays callable on chain forever. Scallop's V2 staking-rewards package from November 2023 sat dormant for 17 months until someone found an uninitialized last_index counter and claimed rewards from a synthetic position that "existed since the spool launched." The frontend pointed at the new version. The on-chain remnants didn't care. Volo : Not a smart-contract bug. The contracts were audited. The single keypair holding upgrade authority over three vaults got compromised. $3.5M gone in one signing session. The audit didn't matter because the audit assumed the key was safe.…