The Sui blockchain ecosystem suffered one of the most devastating DeFi exploits of 2025 on May 22, when Cetus Protocol, its largest decentralized exchange and liquidity provider, was drained of approximately $223 million. As the dust settles and investigators trace the attacker’s wallets across chains, the incident raises urgent questions about oracle design, concentrated liquidity security, and the systemic risks embedded in rapidly growing Layer 1 ecosystems.
The Exploit Mechanics
The attack began at approximately 3:52 AM PT on May 22, when blockchain monitors first detected irregular movements in the SUI/USDC liquidity pool on Cetus Protocol. What initially appeared to be an $11 million outflow quickly expanded as investigators mapped the full scope of the breach, revealing total losses across multiple pools that may have reached $260 million.
At the core of the exploit was Cetus Protocol’s internal oracle system, which relied on concentrated liquidity pool data to generate real-time price feeds for trading pairs. The attacker, operating from wallet address “0xe28b50,” deployed spoof tokens such as BULLA to manipulate pricing curves and distort reserve balance calculations. These spoof tokens carried near-zero real liquidity but were used to skew internal pool metrics, making valuable assets like SUI and USDC appear undercollateralized relative to the distorted price data.
By adding these artificial tokens with minimal value to liquidity pools, the attacker tricked the protocol’s “addLiquidity,” “removeLiquidity,” and “swap” functions into accepting worthless tokens as valid collateral. The smart contract code failed to properly validate inputs when interacting with assets that held little or no economic value, allowing the attacker to repeatedly withdraw real assets without depositing meaningful value in return.
On-chain analysts tracked the attacker moving approximately $63 million in USDC from Sui to Ethereum in the hours following the exploit. Conversion data showed $58.3 million was swapped for 21,938 ETH at an average rate of approximately $2,658 per coin. The pace of execution, estimated at roughly $1 million per minute, indicated a coordinated and pre-planned operation with pre-positioned infrastructure across chains.
Affected Systems
Cetus Protocol has been a cornerstone of the Sui DeFi ecosystem since its 2023 launch. Serving more than 62,000 active users and generating over $7.15 million in daily trading fees, the platform’s compromise sent shockwaves through the entire network. Bitcoin traded at approximately $107,288 on the day of the exploit, while Ethereum sat near $2,526, providing context for the broader market environment in which this attack occurred.
The SUI token itself fell sharply from $4.19 to $3.62, a nearly 14% decline within a single day. Cetus Protocol’s native CETUS token declined from $0.26 to $0.15 during the immediate aftermath. Among the top 15 assets listed on Cetus, more than 75% of total value was erased. Sui-based memecoins including LOFI, HIPPO, SQUIRT, SLOVE, and MEMEFI saw losses ranging from 51% to 97%. Sui’s total value locked dropped from $2.13 billion to $1.92 billion within hours.
The attacker’s wallet remained active throughout the day, holding millions in SUI tokens and having already bridged significant USDC to other chains, indicating a rapid attempt to obfuscate the stolen funds across multiple networks.
The Mitigation Strategy
Cetus Protocol confirmed the incident and immediately paused all smart contracts to prevent further theft. The protocol reported that approximately $162 million of the compromised funds had been successfully paused, representing a significant portion of the total stolen amount. The Cetus team engaged the broader Sui ecosystem, the Sui Foundation, and third-party security firms for incident analysis and fund tracing.
Security experts flagged the hacker’s accounts across major exchanges and cross-chain bridges. Cetus identified and patched the root cause of the exploit, swiftly notifying other ecosystem builders to prevent similar vulnerabilities from being exploited elsewhere. The protocol also engaged professional anti-cybercrime organizations for specialized support in fund tracing and potential negotiations with the attacker.
Notably, the Sui Foundation’s involvement in the response raised broader questions about decentralization. Reports indicated that Sui validators coordinated to freeze certain transactions, which while effective in limiting the damage, prompted debate about the network’s decentralization claims and the role of foundation-level intervention in DeFi incidents.
Lessons Learned
The Cetus exploit exposes a fundamental tension in DeFi protocol design: the desire to reduce reliance on external oracles by using internal pool data for price discovery can introduce new attack vectors that are equally dangerous. Cetus’s internal oracle system was designed to limit vulnerability to outside manipulation, but in doing so, it created a single point of failure where spoof tokens could corrupt pricing data from within.
Proper input validation for token interactions, especially for assets with minimal established liquidity or market history, should be a non-negotiable security requirement. The exploit also underscores the importance of circuit breakers and time-locked withdrawal mechanisms that can pause suspicious activity before the full scope of an attack is realized.
For users, the incident reinforces the importance of diversifying across protocols and chains rather than concentrating liquidity provision in a single platform, regardless of its market position or daily fee generation.
User Action Required
If you had funds deposited in Cetus Protocol, monitor the official Cetus channels for updates on fund recovery and distribution plans. Do not interact with any smart contracts claiming to offer refunds or compensation outside of official channels, as phishing attempts commonly follow major exploits. Review your exposure to other Sui-based DeFi protocols, as the liquidity drain may have cascading effects on token prices and pool stability across the ecosystem.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
$223M from a DEX on a chain thats barely a year old. the speed vs security tradeoff for new L1s keeps producing the same exploit pattern
the attacker moved $63M to ETH via Wormhole before anyone could respond. cross-chain bridges are the getaway cars of DeFi exploits
wormhole processed that $63M bridge in minutes with zero fraud checks. cross-chain bridges having no delay or review mechanism is the actual systemic risk
BULLA spoof tokens with near-zero liquidity being accepted as valid collateral. the smart contract literally could not distinguish between real and fake assets. $223M lost to a basic input validation failure
Kofi nailed it, accepting spoof tokens as collateral without checking actual liquidity is like accepting a drawing of a dollar bill. basic input validation 101
exactly. the oracle was reading pool prices that the attacker set with fake tokens. its not even an oracle bug, its a governance failure for allowing unvetted tokens into pools
^ and validators froze $162M on Sui through emergency coordination. so the response worked for on-chain funds but bridged funds are just gone. thats the real lesson here
$162M frozen is nice but the $63M that bolted through Wormhole proves cross-chain bridges need kill switches too