Cetus Protocol Hack: $220 Million Stolen in Major Sui Blockchain DeFi Exploit

Introduction

In a devastating blow to the Sui blockchain ecosystem, Cetus Protocol, the leading decentralized exchange (DEX) and liquidity provider on Sui, suffered a major security breach on May 22, 2025. The attack resulted in approximately $220 million being drained from its liquidity pools, marking one of the largest DeFi hacks of 2025.

Cetus Protocol, developed using the Move programming language, has been a cornerstone of the Sui DeFi ecosystem, providing essential automated market maker (AMM) services. The protocol’s compromise sent shockwaves through the cryptocurrency market, affecting not only Sui’s native token but the entire ecosystem built around it.

Hack Details

Timeline and Discovery

The security breach was first detected in the early hours of Thursday, May 22, when users reported unusual activity on the platform. On-chain data quickly revealed that approximately $11 million worth of SUI tokens had been withdrawn from the SUI/USDC liquidity pool on Cetus Protocol.

As the situation unfolded, the scope of the attack became apparent. Multiple liquidity pools were targeted simultaneously, leading to a massive exodus of funds from the platform. The Cetus team acted swiftly by pausing their smart contracts to prevent further exploitation, but by then, significant damage had already been done.

Immediate Market Reaction

The impact on the market was immediate and severe. The price of SUI fell sharply by around 7%, dropping to $3.9 from its previous levels. Cetus Protocol’s native token, CETUS, crashed approximately 33%, falling to around $0.16.

SUI price dropped significantly after hack news. Source: Crypto Times

The most devastating effects were seen in liquidity pool tokens on Cetus, with some plunging by as much as 80% amid the widespread liquidity exodus. Tokens like Lofi crashed by 76% while Hippo slumped by 81%, demonstrating the catastrophic ripple effect throughout the Sui ecosystem.

Technical Analysis of the Exploit

Exploit Methodology

According to security experts, the attacker exploited critical flaws in Cetus Protocol’s smart contracts. The hack involved a sophisticated strategy that manipulated the protocol’s price calculation mechanisms. The attack followed a three-part strategy:

Diagram showing how hackers exploited smart contracts. Source: TradingView

• Creating and Utilizing Fake Tokens: The attacker deployed worthless spoof tokens like BULLA and MOJO that had no actual market value but could interact with the protocol.
• Manipulating Price Curves: By taking advantage of vulnerabilities in Cetus’ smart contracts, the hacker tricked the protocol into treating these worthless tokens as valuable assets through miscalculated price curves or broken reserve mathematics.
• Draining Real Assets: With the fake tokens in place, the attacker was able to skew price data on Cetus and drain legitimate assets from the protocol’s liquidity pools without providing any actual value in return.

Sashko, Chief Technology Officer at HackenProof security firm, explained: “The likely exploit path was: 1. Swap in spoof token (e.g. BULLA → SUI), taking advantage of miscalculated price curve or broken reserve math. 2. Add liquidity with a near-zero amount, to manipulate internal LP state. 3. Remove liquidity multiple times, exploiting accounting errors to drain real SUI/USDC without providing any actual assets.”

Market Impact

Effect on SUI Token and Ecosystem

The hack had significant ramifications for the entire Sui blockchain ecosystem. Before the incident, SUI had been enjoying a strong bull run with gains exceeding 60% over 60 days. The exploit put this bullish momentum at serious risk, with technical indicators like the Moving Average Convergence Divergence (MACD) signaling a potential bearish trend.

The total value locked (TVL) in Sui’s DeFi ecosystem plummeted by over $330 million following the attack. Cetus Protocol’s TVL specifically suffered a massive 84% drop, falling to just $38 million.

Impact on Related Tokens

Beyond SUI and CETUS, numerous tokens in the ecosystem were severely impacted:

LP tokens plunged up to 80% after exploit. Source: Crypto Briefing

• LOFI: Crashed 76%
• HIPPO: Collapsed 81%
• WAL, DEEP, NAVX: All experienced significant double-digit percentage drops

Perhaps most alarmingly, USDC on Sui temporarily depegged to near zero following the attack, highlighting the severity of the liquidity crisis triggered by the hack.

Response from Stakeholders

Cetus Protocol’s Official Response

The Cetus team responded quickly to the incident, issuing a statement that acknowledged the security breach: “There was an incident detected on our protocol and our smart contract has been paused temporarily for safety. The team is investigating the incident at the moment.”

In a subsequent update, Cetus confirmed that while the hack had resulted in losses of $223 million, they had succeeded in freezing $162 million of the stolen assets on the Sui blockchain, potentially allowing for recovery.

Sui Foundation’s Actions

The Sui Foundation quickly mobilized to coordinate a response, stating: “At 3:52 AM PT, we became aware of an incident concerning Cetus. The Cetus team has our active support in this ongoing investigation.”

In an unprecedented move, the foundation announced that it had reached consensus with a large number of validators to ignore transactions from addresses associated with the hack until further notice. This validator-level intervention represented a significant step toward containing the damage and preventing the hacker from fully utilizing the stolen funds.

Ecosystem-Wide Precautions

Following the incident, other major DEXs in the Sui ecosystem took preventive measures. Both Bluefin and Momentum announced temporary suspensions of their services to protect users:

“To protect our users, we’ve temporarily paused actions on Bluefin Spot as a precautionary measure. We want to emphasize that Bluefin remains fully secure,” announced the Bluefin team.

Similarly, Momentum stated: “Due to the ongoing exploit on Cetus, we temporarily paused all activities on Momentum as a precautionary measure. All funds are 100% SAFE.”

Even Binance founder CZ offered support, tweeting: “We are doing what we can to help SUI. Not a pleasant situation. Hope everyone stay SAFU!”

Recovery Efforts

Funds Frozen by Validators

In what may prove to be a crucial development, Sui validators took collective action to freeze a significant portion of the stolen funds. According to updates from the Cetus team, approximately $160 million of the $223 million stolen has been successfully frozen on the Sui blockchain.

$160M stolen funds frozen on blockchain.

The Sui Foundation elaborated: “A large number of validators identified the addresses with the stolen funds and are ignoring transactions on those addresses until further notice.” This coordination among validators demonstrates the potential for blockchain governance mechanisms to mitigate damage from attacks.

Hacker’s Activities

Despite the freezing of a substantial portion of the funds, the attacker managed to successfully extract more than $60 million from the exploit. On-chain analysis shows that these funds were transferred to the Ethereum blockchain and swapped for USDC stablecoin. According to blockchain explorers, the attacker’s wallet still holds more than $37 million worth of assets.

Lookonchain, an on-chain analysis platform, reported that the hacker spent around $58 million to acquire 21,938 ETH, averaging $2,658 per ETH, as part of their strategy to launder the stolen funds.

Lessons Learned & Implications

Security Vulnerabilities Highlighted

The Cetus hack serves as a stark reminder of the critical importance of rigorous security practices in DeFi protocols. The exploit revealed how sophisticated attackers can manipulate price calculation mechanisms and token validations to drain liquidity pools.

Manan Vora, director at crypto custody company Liminal, described the situation in simple terms: “Imagine going to a toy exchange, you bring fake toys that look valuable but are worthless, then you trade them for real toys and run. That’s basically what just happened on Sui.”

Future of DeFi Security

This incident underscores the need for more robust security measures in DeFi protocols, particularly those handling large amounts of user funds. Enhanced audit practices, improved price oracle implementations, and better token validation mechanisms will likely become industry priorities following this exploit.

The coordinated response from validators also highlights a potential path forward for blockchain security governance, demonstrating how decentralized networks can collectively respond to threats.

Conclusion and Latest Updates

The Cetus Protocol hack represents the largest DeFi exploit of 2025 so far, though not as devastating as the record-breaking $1.4 billion Bybit exchange hack earlier this year. While approximately $162 million of the stolen funds remain frozen on-chain, recovery efforts are ongoing.

Cetus Protocol and the Sui Foundation continue to work together to implement recovery solutions with the goal of returning funds to affected users. The technical investigation is still underway to fully understand the exploit and prevent similar vulnerabilities in the future.

For users of the Sui ecosystem, the team recommends exercising caution and waiting for official updates before resuming normal DeFi activities on the network. The incident serves as a powerful reminder that despite the progress in blockchain technology, security remains a paramount concern that requires constant vigilance and improvement.