On May 27, 2025, Cetus Protocol — the largest decentralized exchange on the Sui blockchain — announced a comprehensive compensation plan for users affected by the catastrophic $223 million exploit that struck the platform just days earlier. The announcement marked a pivotal moment for the Sui ecosystem, which saw its total value locked plunge from $2.13 billion to $1.74 billion in the aftermath of the attack.
The Exploit Mechanics
The attack, which occurred on May 22, exploited a critical flaw in Cetus Protocol’s token swap mechanism. The attacker introduced spoofed tokens designed to manipulate the automated market maker’s price curve calculations. By artificially inflating pool reserves and trading prices through these malicious tokens, the attacker was able to drain real assets — including CETUS, SUI, and USDC — from liquidity pools at severely distorted valuations.
The root cause was traced to a flawed math library used by the Cetus DEX smart contracts. This vulnerability bypassed standard token validation mechanisms, exposing fundamental weaknesses in the protocol’s input verification and curve logic. The attacker’s wallet was observed holding a range of drained assets, with approximately $160 million remaining frozen on the Sui network while the remainder was bridged to Ethereum.
Affected Systems
The impact rippled across the entire Sui ecosystem. Multiple liquidity pairs were affected, causing some token prices to crash by over 90% within minutes. CETUS, the native token of the protocol, plummeted from its quarterly peak above $0.23 before partially recovering to $0.15 — a 23% rally following the compensation announcement. The SUI token itself experienced significant volatility, dropping from $3.43 before recovering to approximately $3.70.
Active addresses on the Sui network fell dramatically — from 1.7 million daily active addresses to under 300,000 — as the loss of liquidity from Cetus, a major source of on-chain activity, was felt protocol-wide. SUI’s meme token trading, which had been gaining momentum, suffered particular damage as some of the hottest tokens erased most of their value.
The Mitigation Strategy
Cetus Protocol outlined a multi-pronged recovery approach. First, the project committed its own cash and coin treasuries to cover user losses. Second, the Sui Foundation stepped in with a secured bridge loan of 30 million USDC specifically designated to accelerate the compensation process. This loan, combined with Cetus’s reserves, aims to address the funds that were bridged out of the Sui network and are only partially recoverable.
Simultaneously, Sui Network announced a $10 million security fund dedicated to strengthening the ecosystem’s defenses. This investment will finance smart contract audits, expanded bug bounty programs, and formal verification of critical protocol code — addressing the root causes that allowed such a devastating exploit to occur.
Lessons Learned
The Cetus exploit underscores a critical lesson for the broader DeFi ecosystem: the security of a protocol is only as strong as its most fundamental code components. The flawed math library at the heart of this attack highlights the importance of rigorous third-party audits and formal verification, particularly for protocols managing hundreds of millions of dollars in user funds.
The incident also revealed the double-edged nature of network-level responses. While Sui validators moved quickly to blacklist the attacker’s wallets through emergency consensus, actually recovering the frozen $160 million requires a community vote — a process that introduces governance complexity into what should ideally be a swift security response.
User Action Required
For Cetus Protocol users, the compensation plan offers a path toward recovery, but patience is required. The protocol is awaiting a community governance vote on moving the $160 million in frozen funds from the attacker’s address. Users should monitor official Cetus channels for updates on the claims process and ensure they have documentation of their positions at the time of the exploit. Bitcoin traded near $108,994 and Ethereum at $2,663 at the time of the announcement, providing context for the broader market environment during this recovery period.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
Social engineering attacks are becoming more sophisticated
flawed math library in a DEX handling $2B in TVL. the audit should have caught the curve manipulation vector. spoofed tokens bypassing validation is like day one DeFi security
amm_audit_ the attacker was basically printing their own price oracle. once you control the price curve in an AMM you can drain everything at valuations you set yourself. its the oldest DeFi exploit pattern
exactly. once you control the price curve the AMM is basically a faucet you can turn on at will. seen this exact pattern on eth in 2020 with the yam exploit
the crazy part is Sui move prover was supposed to catch this class of bug. formal verification means nothing if your math library itself is the vulnerability
Wei C. the irony of Sui Move Prover missing this is brutal. formal verification of the contract while the math library underneath was wide open
Sui TVL dropping from 2.13B to 1.74B in days. the $223M hack is bad but the trust deficit is worse. how many users are going to bridge back after watching their LPs get drained
Min-Jun P. trust deficit is right. Sui TVL recovered to 1.9B by August but Cetus lost its #1 DEX position to DeepBook permanently
Min-Jun the trust deficit is what kills protocols. TVL recovers eventually but users who got burned rarely come back
Bridge security is still the weakest link in the ecosystem
Formal verification should be mandatory for high-value protocols
full compensation plan reimbursing 100% of lost funds was unprecedented. most hacks end with we are investigating and a dead telegram group
a math library flaw in a protocol handling $2B. someone needs to explain how that passed multiple audits without anyone checking the curve logic
Yuna Park the audits focused on functional correctness not numerical edge cases. the math library was technically correct code doing mathematically wrong things under specific inputs