The Sui blockchain’s DeFi ecosystem suffered its third major security breach of 2025 after Typus Finance, a perpetuals and options decentralized exchange, lost $3.44 million in a sophisticated oracle exploit. The attack, which occurred on October 15 and was publicly disclosed on October 16, exposed critical gaps in smart contract auditing practices and reignited concerns about the security posture of emerging Layer 1 networks.
The Exploit Mechanics
According to the detailed postmortem published by the Typus Finance team, the attacker exploited a vulnerability in the platform’s TLP (Typus Liquidity Pool) oracle contract. The root cause was a lack of authority checks within the oracle module, allowing an unauthorized party to manipulate price feeds and drain funds from the liquidity pool.
The attacker executed the exploit with precision, draining approximately 588,357.9 SUI, 1,604,034.7 USDC, 0.6 xBTC, and 32.227 suiETH from the protocol. Blockchain security firm Hacken traced the attacker’s wallet back to Tornado Cash, the popular Ethereum-based privacy mixer, indicating a premeditated and professionally orchestrated attack. Within two hours of the exploit, the attacker had already swapped the stolen funds to DAI stablecoin, effectively laundering the proceeds across multiple transaction paths.
The oracle module at the heart of this vulnerability was originally deployed on November 13, 2024. Crucially, this module was not included in the scope of the May 2025 security audit conducted by MoveBit, a specialized Move language security firm. This exclusion created a blind spot that the attacker successfully exploited.
Affected Systems
The Typus Finance platform operates as a multi-product DeFi protocol on the Sui Network, offering perpetual trading, options vaults, and liquidity pools. While the $3.44 million loss is significant, the impact was contained to the TLP contract alone. Funds deposited in the SAFU (Secure Asset Fund for Users) and DeFi Options Vaults remained secure and unaffected by the exploit.
However, the broader implications for the Sui DeFi ecosystem are substantial. This is the third major exploit on Sui in 2025 alone, following the Cetus Protocol hack in May that lost over $220 million and the Nemo Protocol exploit in September. Combined, these three incidents have resulted in more than $225 million in stolen assets from Sui-based protocols this year, drawing intense scrutiny from both investors and security researchers.
The Mitigation Strategy
Upon detecting the exploit at approximately 10:18 AM ET on October 15, the Typus Finance team immediately paused all smart contracts on the platform. This swift action prevented further drainage and preserved remaining user funds across unaffected contracts. The team has since received active support from the Sui Foundation, Mysten Labs (the core developer of the Sui blockchain), MoveBit, SlowMist, and on-chain monitoring provider Hypernative.
The coordinated response effort is focused on an asset recovery plan that may involve collaboration with exchanges and blockchain analytics firms to trace and potentially freeze the stolen funds. Given the attacker’s use of Tornado Cash and rapid conversion to DAI, recovery prospects remain uncertain but the involvement of multiple security firms increases the chances of partial fund recovery.
Lessons Learned
The Typus Finance exploit underscores several critical lessons for the DeFi industry. First, incomplete audit coverage represents one of the most dangerous security risks. When the vulnerable oracle module was excluded from the May 2025 audit scope, it created a false sense of security. Protocols must ensure that all deployed smart contracts, especially those handling price feeds and fund transfers, are included in comprehensive security audits.
Second, on-chain monitoring configuration proved inadequate. The Typus team acknowledged that alert frequency for their monitoring service was not configured for immediate detection of this specific event type. Real-time monitoring with low-latency alerting is essential for minimizing damage during active exploits.
Third, the Sui ecosystem’s recurring security incidents suggest that the Move programming language’s safety guarantees, while beneficial, are not sufficient to prevent logical vulnerabilities at the application layer. Authority checks and access control remain the responsibility of protocol developers.
User Action Required
If you had funds deposited in the Typus Finance TLP contract, monitor official Typus Finance communications on X (formerly Twitter) for updates on the asset recovery plan. Users with funds in SAFU or DeFi Options Vaults can be reassured that their deposits remain secure. For broader DeFi participants, this incident serves as a reminder to diversify across protocols and chains, and to verify that platforms you use have comprehensive audit coverage for all deployed contracts, not just core modules.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with DeFi protocols.
another oracle exploit on sui draining millions, pattern keeps repeating
Another day, another oracle exploit. It’s wild that even in 2026 we’re still seeing these price manipulation vulnerabilities in major protocols. Typus had a decent reputation on Sui, so this is definitely a blow to the ecosystem’s momentum. Hope the team can trace the funds.
Man, I was just looking into Typus Finance last week. Really glad I didn’t bridge over my assets yet. Sui has been growing so fast, but these security lapses are exactly why people are still hesitant about moving large capital to newer L1s. Stay safe out there everyone.
attacker swapped everything to DAI within 2 hours. thats faster than most incident response teams can even detect the breach
Tomasz Wozniak 2 hours to DAI conversion. attacker had the laundering path planned before the exploit. professional job
swapping to dai in 2 hours after the drain shows how fast it moved
The technicals behind this drain are pretty concerning. Using low-liquidity pools to manipulate the oracle price is a textbook move, yet protocols still miss it during audits. Typus needs to be completely transparent about the post-mortem and how they plan to reimburse affected users.
the oracle module was deployed Nov 2024 and excluded from the May 2025 MoveBit audit. thats the real scandal here. audit scope gaps kill more protocols than bad code
oracle module from nov 2024 excluded from audit is the classic mistake
move_audit_ excluded from audit scope is the recurring nightmare in DeFi. happened with Wormhole, happened here. when will protocols learn to audit EVERYTHING
This is so gutting for the Sui community. We’ve been having such a good run lately and then this happens. Really hoping the Typus team has a plan to make things right for the LPs. DeFi is still such a frontier, definitely a reminder to never deposit more than you can afford to lose.