What triggered the $260 million Cetus Protocol hack, and how did the Sui exploit spread into a chain-wide crisis?
Cetus Protocol hack wipes $260M in latest Sui exploit
On May 22, Cetus Protocol (CETUS), the primary decentralized exchange and liquidity provider on the Sui (SUI) blockchain, experienced a major security breach. The exploit drained an estimated $223 million, triggering an immediate disruption in DeFi activity across the Sui ecosystem.
Since its 2023 launch, Cetus has become a core part of Sui’s infrastructure, enabling token swaps and yield farming for more than 62,000 active users and generating over $7.15 million in daily trading fees.
SUI, the native token of the Sui blockchain, fell sharply from $4.19 to $3.62 as of this writing on May 23, a nearly 14% drop within a day.
CETUS, the native token of the affected protocol, declined from $0.26 to $0.15 during the immediate aftermath of the breach. Its current price of $0.17 marks only a partial recovery.
Tokens across the wider ecosystem reacted with similar volatility. Memecoins native to Sui, including LOFI, HIPPO, SQUIRT, SLOVE, and MEMEFI, saw losses ranging from 51% to 97%. Although prices have stabilized since, investor confidence remains shaky.
Among the top 15 assets listed on Cetus, more than 75% of total value was erased. Some tokens, such as LBTC and AXOLcoin, saw their prices collapse to near zero.
The broader impact went beyond token prices. Sui’s total value loced dropped from $2.13 billion to $1.92 billion at the time of writing, reflecting a contraction in a matter of hours.
Let’s understand how the exploit was carried out, what structural flaws it exposed, and how the community is preparing its response.
Sui hacker triggers liquidity drain on Cetus Protocol
The breach targeting the Cetus Protocol began in the early hours of May 22. At 3:52 AM PT (11:52 UTC), blockchain monitors detected irregular movements in the SUI/USDC liquidity pool, initially flagged as a possible $11 million outflow.
Ongoing investigation quickly expanded the scope, revealing that total losses across multiple pools may have ranged around $260 million.
The attack focused on a vulnerability in the smart contract system behind Cetus’s pricing mechanism.
At the core was the protocol’s oracle design, responsible for feeding real-time price data into the platform to enable fair trading across token pairs. In this case, the oracle served as the entry point for the exploit.
The wallet address involved, identified as “0xe28b50,” deployed spoof tokens such as BULLA to manipulate pricing curves and distort reserve balances.
Although these tokens carried little real liquidity, they were used to skew internal pool metrics, making valuable assets like SUI and USDC appear undercollateralized. After destabilizing the pricing logic, the attacker extracted real tokens from the pools without contributing proportional value.
On-chain analysts tracked the attacker moving around $63 million in USDC from Sui to Ethereum (ETH) in the hours following the exploit.
🚨 Cetus Protocol Exploit
As @d0rsky shared, @CetusProtocol liquidity pools were likely drained using a spoof token and near-zero liquidity inputs, exploiting potential miscalculations in pool math.
$63M has already been bridged to Ethereum:https://t.co/sIi1pqlPNl https://t.co/umjoczpsxB pic.twitter.com/HR6YMP7qgj
— Hacken🇺🇦 (@hackenclub) May 22, 2025
Conversion data showed that $58.3 million was swapped for 21,938 ETH at an average rate of $2,658 per coin. The pace of execution, estimated at roughly $1 million per minute, pointed to a coordinated and pre-planned operation.
Cetus initially referred to the issue as an “oracle bug,” a term that drew immediate scrutiny from developers and security experts. The scale and precision of the exploit raised doubts about that framing.
Cetus coin exposed in Sui exploit
The root of the Cetus breach wasn’t a single line of malicious code, but a structural flaw in how the protocol managed pricing and pool logic.
Cetus used an internal oracle system that depended on concentrated liquidity pool data to generate real-time price feeds. The intention was to reduce reliance on external oracles and limit vulnerability to outside manipulation. In doing so, however, the mechanism introduced new risks.
The vulnerability centered on the “addLiquidity,” “removeLiquidity,” and “swap” functions within the smart contracts. These functions were built to calculate token ratios and pool values, but failed to properly validate inputs when interacting with assets that held little or no economic value.
The attacker exploited this gap by introducing spoof tokens such as BULLA, which imitated the structure of legitimate assets but had no real liquidity or pricing history.
Introducing these tokens into the pool distorted the automated calculations that governed how much value could be added or removed, effectively allowing manipulation of the protocol’s internal accounting.
Using these spoofed assets, the attacker provided almost no real liquidity while extracting significant amounts of SUI and USDC at artificially favorable rates.
Cybersecurity firms classified the incident as a textbook example of oracle manipulation, where the protocol’s internal design became its own vulnerability.
The scale of the damage was reflected in transaction volumes. On-chain activity on Cetus surged from $320 million on May 21 to $2.9 billion on May 22, showing how quickly funds were moved and swapped once the exploit began.
Move, the programming language used for building on Sui, includes security protections that guard against low-level threats like reentrancy. In this case, the failure occurred above the language layer.
Smart contract execution was not the issue. The contracts performed exactly as instructed — the real problem was that those instructions were permitted at all.
Cetus had no filters or verification steps to ensure only tokens with actual liquidity could influence pricing. It lacked safeguards to reject assets with no market validation.
No caps were enforced on price deviation during short windows, and no circuit breakers were present to pause abnormal activity once volumes began spiking.
Once the spoof tokens entered and distorted the pricing engine, the rest of the system followed through exactly as designed — ultimately enabling the exploit to unfold without resistance.
Sui hack freeze raises decentralization doubts
Cetus moved quickly to contain the damage once the exploit was identified. Smart contract operations were paused around 4:00 AM PT on May 22 to prevent further outflows from the protocol.
A public statement followed shortly after on the project’s official X account, acknowledging the incident and pledging a full investigation. As of May 23, no detailed post-mortem has been released.
A broader response unfolded across the Sui ecosystem. The Sui Foundation, in coordination with validators and key partners, blacklisted the attacker’s addresses and froze approximately $162 million worth of stolen assets on the Sui network.
🚨ANNOUNCEMENT
As of earlier today, we have confirmed that an attacker has stolen approximately $223M from Cetus Protocol. We have took immediate action to lock our contract preventing further theft of funds.
$162M of the compromised funds have been successfully paused. We are…
— Cetus🐳 (@CetusProtocol) May 22, 2025
Efforts to recover the remaining funds, estimated between $60 million and $98 million, have encountered challenges. Roughly $60 million to $63 million in USDC was bridged out of Sui and converted into 21,938 ETH shortly after the exploit.
To encourage the return of the funds, Cetus has extended a $6 million white-hat bounty offer. The proposal targeted the converted ETH and included a firm condition: any attempt to launder or off-ramp the assets would void the offer. No response from the attacker has been made public as of now.
Tracing efforts have involved multiple cybersecurity firms and regulatory bodies. Inca Digital is leading the negotiation process, with forensic support from Hacken and PeckShield.
The Sui Foundation has also coordinated with agencies including FinCEN and the U.S. Department of Defense to explore additional recovery and legal options.
Exchange support has been mixed. Binance founder Changpeng Zhao expressed solidarity on X and confirmed that Binance is assisting with recovery coordination, although no technical interventions or account freezes have been publicly confirmed.
We are doing what we can to help SUI. Not a pleasant situation. Hope everyone stay SAFU!
— CZ 🔶 BNB (@cz_binance) May 22, 2025
The wallet freeze triggered a broader discussion around decentralization. Several users on X highlighted that Sui validators coordinated to block transactions from the attacker’s addresses, freezing over $160 million in assets.
While effective in this instance, the move raised concerns about how much control validators can exercise over network behavior.
Critics argue that such coordination challenges the principle of decentralization and suggests validator-driven censorship is possible, raising doubts over whether networks like Sui are truly decentralized or only claim to be.
Disclosure: This article does not represent investment advice. The content and materials featured on this page are for educational purposes only.
