On May 22, 2025, Cetus Protocol, the leading decentralized exchange (DEX) and liquidity provider on the Sui blockchain, suffered a major security breach, resulting in the loss of approximately $223 million in digital assets. This incident, one of the largest DeFi hacks of 2025, sent shockwaves through the Sui ecosystem and raised fresh concerns about the security of decentralized finance platforms. Here’s what happened, how it unfolded, and what it means for the crypto community.
What Happened?
The exploit targeted Cetus’ concentrated liquidity market maker (CLMM) pools, exploiting a vulnerability in the protocol’s pricing mechanism. The attacker used spoof tokens—fake or low-value assets with manipulated metadata, such as BULLA—to inject minimal liquidity into trading pools. By manipulating the internal accounting of these pools, the hacker distorted price calculations and executed flash swaps to drain valuable assets like SUI and USDC at incorrect exchange rates. Preliminary analyses suggest the vulnerability stemmed from a calculation precision issue in the protocol’s “tick account” system or a flaw in liquidity math, potentially affecting other projects using similar functions.
On-chain data reveals the attacker siphoned over $260 million at its peak, with approximately $11 million initially drained from the SUI/USDC pool alone. The hacker’s wallet, identified as “0xe28b50,” holds over 12.9 million SUI (valued at ~$54 million), $19.5 million in wrapped USDT, $4.9 million in Haedal Staked SUI (HASUI), and other tokens like TOILET. The attacker moved roughly $60–63 million in USDC to Ethereum, converting it to 21,938 ETH at an average price of $2,658 per ETH
Immediate Impact on the Sui Ecosystem
The hack triggered widespread disruption across Sui’s DeFi landscape. Liquidity pools were drained, causing token prices to plummet. Sui-based tokens like CETUS, HIPPO, LOFI, SQUIRT, and AXOL dropped by 30–80%, with CETUS itself crashing 33–40% to ~$0.15. The native SUI token fell from $4.19 to $3.62, a 14% decline within hours, though it later stabilized around $3.8. Other Sui-based protocols, like Scallop, Bluefin, and Momentum, temporarily halted operations to protect users, emphasizing that their funds remained secure.
The incident sparked panic among traders and liquidity providers, with many fleeing to other chains. The Sui ecosystem, relatively small compared to Ethereum, saw its reputation tested, as it has historically been a rare target for hackers due to its limited scale.
Response and Recovery Efforts
Cetus acted swiftly, pausing its smart contracts at around 4:00 AM PT on May 22 to prevent further losses. The team issued a statement on X, confirming the incident and promising a detailed post-mortem. Collaborating with the Sui Foundation, validators, and cybersecurity firms like Inca Digital, Hacken, and PeckShield, Cetus froze approximately $162 million of the stolen funds on the Sui network. However, $60–98 million remains unrecovered, with some assets already bridged to Ethereum.
In a bold move, Cetus offered the hacker a $6 million “white hat” bounty to return 20,920 ETH ($56.3 million) and frozen Sui-based assets. If accepted, the hacker could keep 2,324 ETH ($6 million) without facing legal action. The offer is time-sensitive, and any attempt to launder or move the funds further will void it. Cetus is also working with regulators, including FinCEN and the U.S. Department of Defense, to trace the funds and explore legal options. Binance’s Changpeng Zhao expressed support, though no exchange has confirmed freezing the attacker’s accounts
What Does This Mean for DeFi?
The Cetus hack underscores persistent vulnerabilities in DeFi, particularly in liquidity management and oracle pricing mechanisms. Analysts note that while Cetus had passed recent security audits, complex DeFi logic on newer chains like Sui and Aptos remains a risk. The incident has fueled calls for stricter security measures, including decentralized or manipulation-resistant oracles, real-time price validation, and enhanced audit processes.
The breach also sparked debate about centralization in DeFi. Some, like DeFi enthusiast Cassie, defend Sui’s decision to freeze funds as a necessary user protection measure, comparing it to actions taken by Ethereum and Solana during past exploits. Others argue it highlights weaknesses in Sui’s forensic tools, making it harder to trace transactions compared to more mature ecosystems. Regulatory scrutiny is expected to intensify, with potential new rules around security audits, incident reporting, and user compensation.
Looking Ahead
While the recovery of $162 million is a significant step, the unaccounted $60–98 million and the ecosystem’s shaken confidence pose challenges. Cetus and the Sui Foundation are under pressure to deliver transparent communication, robust security upgrades, and user compensation plans to rebuild trust. Analysts remain cautiously optimistic, suggesting SUI could recover to $5 if most funds are returned, but the incident serves as a stark reminder of DeFi’s risks.
For now, users are advised to monitor official Cetus and Sui channels for updates and exercise caution with DeFi platforms. As the investigation continues, the crypto community watches closely to see how this breach will shape the future of DeFi security on Sui and beyond.
