Cetus Protocol hack and Sui exploit: The full story behind the $260 million breach

by

$260M Gone?! ๐Ÿ˜ฑ



Cetus Protocol hack and Sui exploit: The full story behind the $260 million breach

What dark machinations, what twisted fate has befallen the Cetus Protocol, leaving a gaping wound of $260 million? Was it merely a digital tremor, or a deliberate act of sabotage against the very foundations of Sui? ๐Ÿค”

The Path We Shall Tread:

Cetus Protocol Hack: A Debacle of $260 Million Unveiled

On the 22nd of May, a day that shall live in infamy, Cetus Protocol (CETUS), the supposed pillar of Sui’s decentralized exchange, was struck by a cataclysmic breach. A sum of $223 million, pilfered, vanished into the digital ether, leaving the DeFi landscape of Sui in disarray. ๐Ÿ˜ญ

Since its vaunted launch in 2023, Cetus, with its lofty promises, became a linchpin of Sui’s infrastructure, a haven for token swaps and yield farming, boasting over 62,000 souls and generating $7.15 million in daily trading fees. Or so they claimed. ๐Ÿ™„

SUI, the native token, once proud, now humbled, plummeted from $4.19 to $3.62 as of the 23rd of May, a near 14% plunge, a testament to the fragility of this digital realm.

SUI Token Price Drop

CETUS, the very namesake, withered from $0.26 to a meager $0.15 in the immediate aftermath, a shadow of its former self. A mere partial recovery to $0.17, a band-aid on a mortal wound.

Tokens across the ecosystem, mere echoes in the grand scheme, reacted with predictable volatility. Memecoins, those fleeting digital butterflies, like LOFI, HIPPO, SQUIRT, SLOVE, and MEMEFI, suffered losses ranging from 51% to 97%. Prices stabilized, perhaps, but investor confidence, shattered, lies in pieces. ๐Ÿ’”

Among the top 15 assets on Cetus, three-quarters of their worth erased. Some, like LBTC and AXOLcoin, plummeted to near zero, a digital graveyard. ๐Ÿ’€

The rot spread further. Sui’s total value locked, once a proud $2.13 billion, dwindled to $1.92 billion, a contraction in mere hours. ๐Ÿ“‰

Let us delve into the abyss, to understand the mechanics of this exploit, the structural flaws laid bare, and the community’s frantic scramble for redemption. ๐Ÿง

Sui Hacker: A Master of Liquidity Drain on Cetus Protocol

The breach commenced in the dead of night, the early hours of May 22. At 3:52 AM PT (11:52 UTC), monitors detected irregularities in the SUI/USDC liquidity pool, initially dismissed as a mere $11 million outflow. How naive! ๐Ÿคฃ

The scope expanded, revealing a total loss of approximately $260 million. A king’s ransom, stolen in the digital night. ๐Ÿ’ฐ

Cetus(@CetusProtocol) on #SUI was hacked and lost more than $260M! The hacker is converting the stolen funds into $USDC and cross-chaining to #Ethereum to exchange for $ETH, with ~60M $USDC already cross-chained.

โ€” Lookonchain (@lookonchain) May 22, 2025

The attack centered on a vulnerability, a chink in the armor of Cetus’s pricing mechanism. A fatal flaw. โš”๏ธ

The oracle, meant to be the guardian of real-time price data, responsible for fair trading, became the entry point for the exploit. Irony, indeed. ๐ŸŽญ

The wallet “0xe28b50,” a digital phantom, deployed spoof tokens, like BULLA, to manipulate pricing curves, distorting reserve balances. Deception, the weapon of choice. ๐Ÿ˜ˆ

These tokens, devoid of real liquidity, were used to skew internal metrics, making SUI and USDC appear undercollateralized. The attacker, a puppeteer, extracted real tokens without contributing proportional value. A grand illusion! ๐ŸŽฉ

Analysts tracked the attacker moving $63 million in USDC from Sui to Ethereum (ETH), a swift exodus in the hours following the exploit. The great escape. ๐Ÿƒโ€โ™‚๏ธ

Conversion data showed $58.3 million swapped for 21,938 ETH, at $2,658 per coin. The pace, $1 million per minute, a coordinated, pre-planned operation. Efficiency in theft. โฑ๏ธ

Cetus initially called it an “oracle bug,” a term that drew scorn. The scale and precision of the exploit, a far cry from a mere “bug.” A blatant underestimation. ๐Ÿ›

Cetus Coin: Exposed in the Sui Exploit

The root of the breach was not a mere line of malicious code, but a structural flaw in pricing and pool logic. The rot was systemic. ๐Ÿฆ 

Cetus used an internal oracle, dependent on concentrated liquidity pool data. The intent, to reduce reliance on external oracles. But in doing so, they birthed new risks. A Faustian bargain. ๐Ÿค

The vulnerability centered on “addLiquidity,” “removeLiquidity,” and “swap” functions, failing to validate inputs when interacting with assets of little value. A critical oversight. ๐Ÿ™ˆ

The attacker exploited this gap by introducing spoof tokens, imitating legitimate assets but lacking liquidity. A mirage in the desert. ๐Ÿœ๏ธ

Introducing these tokens distorted the automated calculations, allowing manipulation of the protocol’s internal accounting. The books were cooked. ๐Ÿ‘จโ€๐Ÿณ

Using these spoofed assets, the attacker provided almost no real liquidity while extracting significant amounts of SUI and USDC. A heist of epic proportions. ๐Ÿฆ

Cybersecurity firms classified the incident as oracle manipulation. The protocol’s internal design, its own undoing. A self-inflicted wound. ๐Ÿค•

The scale of the damage reflected in transaction volumes. Activity on Cetus surged from $320 million to $2.9 billion, funds moved and swapped with alarming speed. A frenzy of greed. ๐Ÿค‘

Move, the programming language used for building on Sui, includes security protections. But the failure occurred above the language layer. A higher-level incompetence. ๐Ÿคฆโ€โ™‚๏ธ

Smart contract execution was not the issue. The contracts performed as instructed. The instructions themselves were the problem. Blind obedience. ๐Ÿค–

Cetus had no filters to ensure only tokens with actual liquidity could influence pricing. No safeguards to reject assets with no market validation. A house built on sand. ๐Ÿ 

No caps were enforced on price deviation, no circuit breakers to pause abnormal activity. A runaway train. ๐Ÿš‚

Once the spoof tokens entered and distorted the pricing engine, the system followed through, enabling the exploit to unfold without resistance. A tragedy foretold. ๐ŸŽญ

Sui Hack Freeze: Decentralization Doubts

Cetus moved quickly to contain the damage, pausing smart contract operations around 4:00 AM PT on May 22. A desperate attempt to stem the bleeding. ๐Ÿฉธ

A public statement followed, acknowledging the incident and pledging a full investigation. As of May 23, no detailed post-mortem has been released. Silence is golden, or perhaps, a sign of guilt? ๐Ÿคซ

The Sui Foundation, in coordination with validators and key partners, blacklisted the attackerโ€™s addresses, freezing approximately $162 million worth of stolen assets on the Sui network. The long arm of the law, or perhaps, the long arm of centralization? ๐Ÿ‘ฎ

Efforts to recover the remaining funds, estimated between $60 million and $98 million, have encountered challenges. The stolen USDC, bridged out of Sui and converted into ETH. A digital diaspora. ๐ŸŒ

To encourage the return of the funds, Cetus extended a $6 million white-hat bounty offer. The proposal targeted the converted ETH, a firm condition: any attempt to launder the assets would void the offer. No response from the attacker. Silence. ๐Ÿ˜ถ

Tracing efforts have involved multiple cybersecurity firms and regulatory bodies. A tangled web of intrigue. ๐Ÿ•ธ๏ธ

The Sui Foundation has also coordinated with agencies including FinCEN and the U.S. Department of Defense. The full force of the state, brought to bear on a digital crime. ๐Ÿ‡บ๐Ÿ‡ธ

Exchange support has been mixed. Binance founder Changpeng Zhao expressed solidarity on X, confirming Binance is assisting with recovery coordination. No technical interventions or account freezes have been publicly confirmed. A carefully worded statement. ๐Ÿ“

The wallet freeze triggered a broader discussion around decentralization. Validators coordinated to block transactions from the attackerโ€™s addresses, freezing over $160 million in assets. A chilling display of power. ๐Ÿฅถ

SUI froze $160M from the Cetus hacker, on-chain, out of over $220M. The $60M gap was bridged to ETH. While this is good in this case, this shows SUI network can freeze your funds on demand. Decentralization is just marketing outside of BTC/ETH.

โ€” Duo Nine โšก YCC (@DU09BTC) May 22, 2025

While effective, the move raised concerns about how much control validators can exercise over network behavior. The specter of censorship. ๐Ÿ‘ป

Critics argue that such coordination challenges the principle of decentralization, suggesting validator-driven censorship is possible. Are networks like Sui truly decentralized, or merely claiming to be? A question that hangs in the air, unanswered. ๐Ÿค”

Read More

2025-05-23 19:02