Cetus DEX Exploit Explained: $220M Stolen in Minutes on Sui
On May 22, 2025, Cetus DEX, the largest decentralized exchange on the Sui blockchain, was rocked by a devastating exploit that drained approximately $220–260 million in digital assets. Within minutes, liquidity pools were emptied, trust in the platform shattered, and SUI token value dropped by nearly 15%.
The scale of the exploit has raised critical questions:
- How did a DEX with multiple audits and industry support fail this badly?
- What exactly did the attacker do?
- Can user funds be recovered—and what happens next?
Let’s break it all down.
What Is Cetus DEX and Why Was It Targeted?
Cetus DEX serves as a core liquidity hub on the Sui blockchain, facilitating swaps, trading pairs, and yield farming. It had seen explosive growth since late 2023:
- October 2023 Trade Volume: $182 million
- January 2025 Trade Volume: $7.15 billion
With growth came attention—from users, developers, and unfortunately, attackers.
Step-by-Step Breakdown of the Cetus Exploit
Here’s how the attacker pulled off one of DeFi’s most sophisticated heists:
1. Flash Loan Initiation
Using wallet 0xe28b50, the attacker initiated a flash loan, instantly gaining access to high volumes of liquidity without upfront collateral.
2. Fake Token Insertion
They injected counterfeit tokens (e.g., BULLA) into Cetus liquidity pools—tokens that had no real value but were enough to manipulate internal pricing formulas.
3. Distortion of Price Curves
These tokens mimicked liquidity, tricking Cetus’s internal pricing mechanism. This manipulation created fake arbitrage opportunities where worthless tokens could be swapped for high-value assets like SUI and USDC.
4. Liquidity Drain
The attacker executed trades across 46 liquidity pairs, effectively draining millions in real assets at artificially favorable prices.
5. Crosschain Exit Strategy
Roughly $60 million in USDC was moved to Ethereum, where it was converted into 21,938 ETH, hiding the stolen funds across networks and wallets.
Timeline of Events
| Time (UTC) | Event |
|---|---|
| 10:30:50 | Exploit begins with suspicious liquidity shifts. |
| 10:53:00 | Cetus identifies the attack and alerts the community. |
| 10:57:47 | Core pools shut down to prevent more losses. |
| 11:20:00 | Smart contracts disabled. |
| 12:50:00 | Sui validators begin freezing attacker addresses. |
| 18:15:28 | Vulnerable contract updated and patched. |
By end of day, most major damage was done—but a community-led response was already underway.
Why Didn’t Audits Catch This?
Cetus DEX had undergone multiple smart contract audits, but still fell prey to a flawed math library and a vulnerable pricing mechanism.
Key Missteps:
- Over-reliance on “trusted” libraries assumed to be secure.
- Auditors missed how fake liquidity could impact price curves.
- Reactive rather than proactive security.
“The attacker used a novel strategy that wasn’t covered in standard audit playbooks,” said BlockSec’s Orlando.
Community Fallout and Market Reaction
- CETUS Token: Down 40%+
- TVL Drop: From ~$310M to ~$100M
- Multiple tokens: Down over 99%
Even with a patched contract, the reputational damage was massive. Trust in both Cetus and the Sui ecosystem took a hit—similar to what Solana experienced after the Mango Markets hack.
Recovery and Compensation Plan
Here’s what Cetus and Sui are doing to fix the damage:
✅ May 29: Community Governance Vote
- $162M in frozen assets approved for transfer to a multisig wallet.
- Managed by Cetus, OtterSec, and the Sui Foundation.
✅ May 31: Protocol Upgrade
- Multisig wallet created and frozen funds moved.
- Smart contracts patched.
✅ What’s Next?
- CLMM contract upgrades completed and sent for audit.
- Historical pool data restored to calculate losses.
- Compensation contract in development for LPs.
- Protocol relaunch scheduled for early June.
Why This Matters for All of DeFi
This wasn’t just a Sui problem. The Cetus hack revealed some harsh truths for the entire DeFi space:
⚠️ 1. Audits Aren’t Enough
Audits are snapshots, not silver bullets. Real-time monitoring and code agility matter more when attackers are always innovating.
⚠️ 2. Open-Source Libraries Can Be Dangerous
Reusing libraries speeds up development—but also inherits vulnerabilities. Teams must vet each dependency carefully.
⚠️ 3. DEX Design Must Evolve
Pooled liquidity and price curves can be manipulated. More dynamic models and automated circuit breakers may be needed going forward.
⚠️ 4. Validator Intervention Is a Slippery Slope
Freezing funds required centralized action in a decentralized system. The trade-off between security and censorship resistance is now an open debate.
Did You Know?
- Over 50% of DeFi hacks in 2022 were bridge-related, making crosschain security a weak point.
- Mango Markets’ $114M hack in 2022 was similar, using price manipulation to extract value.
- Poly Network’s $600M hack was “returned” by the attacker—sparking debate on white-hat ethics.
Final Thoughts: Cetus May Recover—But DeFi Can’t Ignore the Warning
The Cetus exploit is a brutal reminder that fast growth often outruns security. While the response from the Sui community has been commendable, the deeper takeaway is clear:
DeFi must mature—not just in product, but in protection.
Whether you’re an LP, developer, or just a curious investor, it’s crucial to understand the risks behind the protocols you use. Decentralization brings power—but also personal responsibility.
FAQs
Q: Will users get their funds back?
A: Most of the frozen assets will be returned to LPs through a compensation contract. Any unrecoverable losses will be covered by Cetus.
Q: Was the attacker identified?
A: No official identity yet, though wallet traces show movement through Ethereum. Investigations are ongoing.
Q: Is it safe to use Cetus now?
A: Not yet. Full functionality is expected to resume after contract audits and protocol relaunch in June 2025.
