After Cetus was hacked: What should we see clearly from this incident?

Foreword

On May 22, Cetus, the leading DEX protocol in the Sui ecosystem, was attacked by hackers. A vulnerability appeared in the core contract of the protocol, and the attacker took the opportunity to siphon off a large amount of assets. The incident attracted widespread attention in a short period of time, not only affecting related users, but also prompting multiple Sui projects to enter an emergency response state.

But what followed was not a chain rollback or super-authority intervention, but a rapid start: validator voting, project active shutdown, asset chain freezing, protocol self-inspection and upgrade... The whole process constituted a real exercise in on-chain financial security governance.

As of the time of writing this article, five days have passed since the hacker attack. This incident has had a wide impact and has triggered heated discussions in the community on "on-chain security", "decentralized governance" and "protocol emergency response".

This article attempts to sort out: What exactly happened this time? Where is the responsibility? How did Sui's ecosystem respond? What can we learn from it?

How did the attack happen?

The attack occurred on the morning of May 22, 2025, targeting Cetus's CLMM liquidity pool. The attacker discovered a loophole in the contract and used constructed transactions to extract assets in multiple rounds of operations.

The specific process is as follows:

Around 10:30 UTC, the attack began. The hacker lowered the price in the pool through abnormal transactions, opened a high-priced liquidity position at the same time, and took advantage of the contract logic loophole to inject a large amount of "fake" liquidity with a very small amount of tokens.

Then, the hacker repeatedly executed "add/remove liquidity" to extract actual assets from the pool.

The attack lasted for about 20 minutes, and some monitoring systems began to alarm.

40 minutes after the attack

10:40 UTC, Cetus' monitoring system detected abnormal pool behavior.

10:53 UTC, the Cetus team confirmed the source of the attack and notified other projects in the Sui ecosystem.

10:57 UTC, Cetus immediately closed the core liquidity pool to prevent further losses.

11:20 UTC, all related contracts were suspended.

This wave of reaction was very fast, but the hackers had already stolen a large amount of funds.

How to freeze the hacker funds?

After the incident expanded, the ecosystem launched a larger-scale emergency response:

Sui validators quickly began to collaborate on the chain and voted whether to reject the transaction of the hacker address;

After reaching the 33% staking threshold, the hacker address was effectively frozen and the transaction could no longer be processed on the chain.

This is not a system rollback or background intervention, but an operation made by the validator through the consensus mechanism. The state of the chain has not been changed, and user transactions have not been tampered with. Everything is completed based on the existing on-chain rules.

The so-called "system rollback" refers to returning the state of the entire blockchain network to a certain moment before the attack, just like time is flowing backwards. This usually means that confirmed transactions will be erased and the history of the chain will be rewritten. "Backstage intervention" refers to the direct control of nodes or funds by a centralized power (such as a project party or foundation) to bypass the normal process to make processing decisions.

In this incident, none of these situations occurred. The validator implements the freeze according to the on-chain rules through public voting and autonomous decision-making, which is the embodiment of decentralized governance.

What is the current funding situation?

The data released by Cetus are as follows:

The hackers stole a total of approximately US$230 million in assets;

US$160 million of assets are still in two frozen Sui addresses and can no longer be transferred;

US$60 million in assets have been transferred across chains to Ethereum, and two known addresses are still being tracked.

The protocol is promoting a community vote to decide how to return assets and compensate.

Why did it happen? Is it a problem with the chain itself? Or is it a problem with the application layer vulnerability?

According to SlowMist's report and the analysis of technical experts, they all point to the same problem: The root cause of the incident lies in the problem of the open source code logic used in the Cetus contract. The attacker exploited a data overflow check-related error in the application layer contract. If the vulnerability was discovered and fixed in advance, it would not cause losses. Therefore, it is not a vulnerability in the Move programming language itself.

It is also important that: The Sui network itself has not been attacked, and there is no systemic risk.

This is a standard "protocol layer security incident", not a chain layer security issue.

After the attack, how did other projects in the Sui ecosystem act?

After Cetus was shut down, multiple projects on Sui began to conduct security self-inspections. We observed that the Momentum protocol also suspended trading as soon as the attack occurred, completed full-chain code audits and risk investigations, and resumed after the stolen funds were frozen.

As the leading Dex in the Sui ecosystem, the Momentum protocol stopped trading as soon as possible and cooperated with the Sui Foundation to block the stolen funds to prevent hackers from spreading them to more trading asset accounts through Dex transactions. At the same time, a thorough self-inspection was carried out. After the self-inspection results were correct and after confirming that the stolen funds were successfully frozen by the Sui Foundation, the trading function was restored first.

What is the follow-up of the incident?

Currently:

Cetus has completed the core vulnerability fix and is reviewing the code with the audit team;

A user compensation plan is being formulated, which will partly depend on the voting decision of the ecological governance proposal;

Other Sui projects have also resumed operation or are completing security reinforcement.

The entire ecosystem did not stop, but instead systematically reviewed the security mechanism after the incident.

What does this incident tell us?

The attack on Cetus has once again made all builders and users face a realistic problem:

What does protocol security rely on?

The answer has become increasingly clear:

Depending on the collective wisdom brought by decentralization, not using decentralization as an excuse for inaction;

Depending on continuous systematic investment, not one or two audit reports;

Depending on usual preparations and mechanism building, not just post-event remedies;

Depending on every participant's willingness to take responsibility and take proactive action, rather than blaming the problem on the "chain" or "technology".

We see that hackers did cause losses, but did not destroy the system;

We also see that decentralization is not about hiding behind rules and watching from the sidelines, but spontaneously gathering together to defend the bottom line and protect users.

Conclusion

True decentralization is not a slogan, but a responsibility

There is no savior in this storm.

Sui validators voted to freeze risky transactions; other protocols completed security self-inspections, and some quickly resumed online; users are also paying attention and promoting improvements.

Decentralization is not laissez-faire, but collaboration with boundaries, principles and responsibilities.

In a system without a backend, trust must be supported by every line of code, every mechanism, and every decision.

This incident is a crisis, a test, and a mirror.

It tells us:

Decentralization is not a goal, but a method. The goal is to build trust; decentralization brings collective wisdom.

Decentralization is important, but capital efficiency and protocol security are more important.