- The attacker exploited flaws in Cetus’ smart contracts.
- Cetus is the biggest DEX aggregator on Sui.
- Several Sui-based tokens crashed due to the exploit.
The Sui blockchain is reeling from a major exploit that affected one of its biggest protocols.
On Thursday, Cetus, the largest decentralised exchange aggregator on Sui, suffered a security breach that resulted in a theft of $220 million. The attacker exploited flaws in the protocol’s smart contracts to drain funds.
While Cetus said it acted promptly to stave off the attack and paused its smart contracts to prevent further losses, the incident caused the value of several Sui-based tokens to plummet, including Lofi, which crashed 76%, and Hippo, which slumped 81%.
How they did it
The attacker managed to pull off the exploit by taking advantage of flaws in Cetus’ smart contracts. They sent spoof tokens to Cetus that didn’t have any market value.
Vulnerabilities in Cetus smart contracts allowed the attacker to trick the protocol into behaving like the tokens were valuable. The attacker used these worthless tokens to skew price data on Cetus and drain the protocol’s liquidity pools.
“Imagine going to a toy exchange, you bring fake toys that look valuable but are actually worthless, then you trade them for real toys and run,” Manan Vora, director at Liminal, a crypto custody company, posted on LinkedIn in reaction to the incident.
“That’s basically what just happened on Sui.”
Since liquidity pools are critical cryptocurrency reserves on exchanges that allow traders to swap tokens, and Cetus is the biggest DEX on Sui, the attack caused several tokens on the network to crash.
USDC stablecoin on Sui depegged to zero following the attack.
The attack also significantly impacted Sui’s DeFi ecosystem, with the total assets held by investors in the network plummeting by over $330 million on Thursday.
Cetus’ total assets held on the protocol also suffered a massive 84% drop on Thursday to $38 million.
Cetus reaction
The Cetus team reported that thanks to its recovery efforts, it froze $160 million of the syphoned funds and is working to return it to the protocol.
Cetus stated on X, “We are working with the Sui Foundation and other ecosystem members right now on next-step solutions with the goal of recovering the remaining stolen funds.”
The Sui Foundation added, “A large number of validators identified the addresses with the stolen funds and are ignoring transactions on those addresses until further notice.”
Validators are the backbone of blockchains like Sui as they verify transactions and enforce the protocol’s rules. By ignoring transactions associated with the hack, the validators are effectively enacting a consensus-based censorship akin to the freezing of bank accounts in traditional finance.
Still, the attacker managed to extract more than $60 million from the exploit. Onchain data shows the funds have been transferred to the Ethereum blockchain and swapped for USDC stablecoin. The attacker’s wallet still has more than $37 million worth of assets.
Cetus’ security breach is the biggest DeFi hack in 2025, a year that has also set the record for the single largest crypto hack of $1.4 billion from the Bybit crypto exchange.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Please contact him at osato@dlnews.com.
