Cetus DEX Hacked $260M Sui Token Price Drops 15%

On May 22, 2025, Cetus Protocol, the primary decentralized exchange (DEX) on the Sui blockchain, experienced a significant security breach, resulting in the theft of approximately $260 million in digital assets. This incident marked one of the largest decentralized finance (DeFi) breaches in cryptocurrency history, causing a notable impact on the Sui community. The Sui (SUI) token price dropped by about 15% to $3.81 by May 29, reflecting the market's reaction to the exploit.

The Cetus DEX facilitates efficient token trading and liquidity provision within the Sui ecosystem. The platform's rapid growth made it an attractive target for attackers. The exploit was made possible by a previously undetected error in the code of Cetus DEX, which allowed the attacker to bypass safeguards and drain liquidity pools using a flaw in Cetus’s internal pricing system.

The attack involved a series of calculated steps, including the use of a flash loan to access immediate funds without collateral, the insertion of fraudulent tokens into various Cetus liquidity pools, and the distortion of the price curve to create artificial price advantages for legitimate assets. The attacker then drained 46 liquidity pairs, exchanging worthless tokens for valuable assets at manipulated, favorable rates. A fraction of the stolen assets, about $60 million in USDC, was transferred to the Ethereum network, where the attacker converted them into 21,938 Ether (ETH) at an average price of $2,658 per ETH.

The coordinated exploit on Cetus DEX unfolded over eight hours, triggering emergency shutdowns, contract freezes, and a validator-led response to block the attacker’s addresses. The Cetus team identified the attack source and notified Sui ecosystem members within minutes of detecting irregular activity. Core CLMM pools were shut down to stop further losses, and all related smart contracts were disabled across the system. Sui validators began voting to block transactions from the attacker’s addresses, effectively freezing these addresses once votes exceeded 33% of the stake.

Despite multiple smart contract audits and security reviews, hackers were able to detect the flaw in Cetus and take advantage of it. The vulnerability lay in a math library and a flawed pricing mechanism, issues that managed to slip past several audits. Cetus admitted that it was relaxed in its approach regarding vigilance as the past successes and widespread adoption of audited libraries had created a false sense of security. The incident underscores a broader industry problem about audits, which, though essential, are not foolproof.

After the hack, the Cetus team suspended its smart contract operations to prevent further losses. Subsequently, the Sui community quickly launched a structured recovery and compensation strategy. On May 29, Sui validators approved a governance vote to transfer $162 million in frozen assets to a Cetus-managed multisig wallet, starting the process of reimbursing affected users. The frozen funds will be held in trust until they can be returned to users. The governance vote had 90.9% voting in favor, 1.5% abstaining, and 7.2% not participating.

On May 30, Cetus DEX posted its recovery roadmap, which included a protocol upgrade, CLMM contract upgrade, data restoration, asset conversions and deposits, compensation contract development, peripheral product upgrades, and a full protocol restart. Cetus plans to restart the protocol within a week, allowing affected liquidity providers to access recovered funds, with any remaining losses covered through the compensation system.

The Cetus DEX exploit exposed critical vulnerabilities that go beyond a single protocol, offering valuable insights for the broader DeFi community. As decentralized platforms continue to grow in complexity and scale, this incident highlights key areas where the ecosystem must evolve to better safeguard user funds and maintain trust. The risks of open-source dependencies, the need for layered security, the debate between decentralization and safety, and the call for proactive security measures are all crucial lessons learned from this exploit.