Cetus, the largest decentralised finance (DeFi) platform on the Sui blockchain, was hacked on 22 May, leading to the loss of over $260 million in digital assets. However, swift action by Sui validators helped freeze a significant portion of the stolen funds.
Major Exploit Hits Sui’s Flagship DEX
The attack on Cetus exploited a vulnerability in its Concentrated Liquidity Market Maker (CLMM) system. The flaw, identified by security firm Dedaub, lay in the “tick account” system—specifically, an arithmetic overflow bug. This bug miscalculated liquidity withdrawal values, allowing the attacker to extract more assets than contributed.
The hacker initiated the exploit by flash-swapping 10 billion haSUI tokens with maximum slippage and adding minimal liquidity in an extreme tick range. When they withdrew, the overflow error returned an outsized amount of real tokens. The attacker then repaid the flash loan, pocketing the profits.
Fake tokens such as BULLA were also used to distort price feeds, enabling further manipulation of pools like SUI/USDC. Several tokens, including HIPPO and LOFI, saw prices crash by up to 80% due to liquidity draining.
Breakdown of the Attack
The hack led to significant losses across various tokens:
12.9 million SUI (worth approximately $54 million)
$60 million in USDC
$4.9 million in Haedal Staked SUI
$19.5 million in TOILET
Other assets suffered steep declines, shaking investor confidence in Sui’s growing DeFi space. The exploit was halted at 3:52 AM PT after the Sui team paused the smart contract to prevent further damage.
Swift Response and Fund Recovery
Post-hack, the attacker attempted to launder the funds by bridging USDC to Ethereum in $1 million batches, including through Tornado Cash. However, validators on the Sui network moved quickly to freeze around $162 million worth of stolen assets.
Cetus patched the vulnerability soon after the breach and resumed trading. The platform is now working closely with the Sui Foundation and cybersecurity firm Hacken to track and recover remaining funds.
To incentivise the return of stolen assets, Cetus has offered a white hat bounty of up to $6 million. In a blockchain-embedded message, the team proposed that the hacker may retain 2,324 ETH (approximately $6 million) if the rest of the funds—estimated at over $220 million—are returned. They have warned that any further attempts to launder or off-ramp the stolen assets will trigger “full legal and intelligence” action.
Emergency Measures and Centralisation Concerns
In response to the crisis, the Sui team reportedly deployed a special emergency function that allows validators to bypass normal security checks. This move, aimed at recovering stolen funds, has sparked controversy in the crypto community. Critics argue that such actions undermine the decentralised and permissionless nature of blockchain technology.
Solayer Labs engineer Chaofan Shou highlighted GitHub activity suggesting validators were asked to deploy patched code, enabling the recovery of assets via unsigned transactions. While validators have so far refrained from using this function, it has raised questions about the long-term governance of the Sui network.
Market Reaction and the Road Ahead
The hack has had a noticeable impact on market sentiment. SUI, the native token of the Sui blockchain, saw a sharp decline after being rejected at $4.20. It is currently trading at around $3.85, with a 45% surge in daily trading volume to $3.4 billion.
The Cetus exploit marks the largest DeFi hack in Sui’s short history and has cast a shadow over its ambition to rival other next-generation blockchains like Solana. With institutional interest in SUI previously surging, the platform’s response in the coming weeks will be crucial to regaining trust and momentum.
