Sui blockchain’s largest decentralized exchange (DEX), Cetus Protocol, suffered a catastrophic security breach on May 22, 2025, resulting in losses exceeding $220 million. The incident, which exploited vulnerabilities in the platform’s smart contracts, triggered a collapse in Sui-based token prices and raised urgent questions about decentralized finance (DeFi) security.
Exploit Details: Fake Tokens and Flawed Price Mechanisms
The attacker exploited Cetus’ liquidity pools by injecting valueless counterfeit tokens, including BULLA and MOJO, into the system. These tokens manipulated flawed price curves and reserve calculations, enabling the attacker to drain funds as if trading legitimate assets. The breach targeted Cetus’ core infrastructure, with the protocol’s native CETUS token plunging 40% within hours. Other Sui ecosystem tokens, such as Lofi (-76%) and Hippo (-81%), faced even steeper declines.
Reported losses vary across sources, ranging from $220 million to $260 million, reflecting differences in asset valuations and real-time updates. Approximately $63 million of the stolen funds were bridged to Ethereum and converted to USDC.
Recovery Efforts and Validator Intervention
In an unprecedented move, Sui validators froze $160 million of the stolen funds by consensus, effectively halting transactions linked to the attacker’s wallets. The Cetus team confirmed collaboration with the Sui Foundation to recover the remaining $60 million. On-chain data shows the exploiter’s wallet still holds over $37 million in assets, while $53 million in Ethereum-based USDC has been traced to a wallet ending in “AF16”.
Cetus paused all smart contracts immediately after detecting the breach, stating:
“Our smart contract has been paused temporarily for safety. We are working with ecosystem partners to recover funds and will provide updates soon.”
Market Fallout and Ecosystem Impact
The exploit sent shockwaves through Sui’s DeFi ecosystem:
- Total Value Locked (TVL) dropped by $330 million, with Cetus’ own TVL collapsing 84% to $38 million.
- SUI token price fell 15% to $3.81, though it stabilized faster than smaller ecosystem tokens.
- USDC on Sui briefly depegged to $0 as liquidity evaporated.
The incident also sparked debates about Sui’s decentralization, as validators’ ability to freeze funds drew comparisons to centralized finance.
Broader Implications for Sui and DeFi Security
The hack underscores persistent vulnerabilities in DeFi protocols, particularly around oracle pricing and smart contract audits. Cetus’ breach marks the largest DeFi exploit of 2025, following a $1.4 billion hack on Bybit earlier in the year.
Sui’s response highlights its hybrid approach to security, blending decentralized validation with rapid intervention—a model that may face scrutiny as regulators increase focus on crypto infrastructure.
Cetus and Sui Foundation have pledged a full post-mortem report, with recovery efforts ongoing. The incident serves as a stark reminder of the risks inherent in permissionless financial systems, even as the ecosystem rallies to mitigate losses.
Latest Update From Cetus
