Cetus Protocol Loses $260 Million in Security Breach

Cetus Protocol, a decentralized exchange and liquidity provider on the Sui blockchain, experienced a significant security breach on May 22. The exploit resulted in an estimated $260 million in funds being stolen, causing immediate disruption in decentralized finance (DeFi) activity across the Sui ecosystem. The breach targeted a vulnerability in the smart contract system behind Cetus’s pricing mechanism, specifically the protocol’s oracle design responsible for feeding real-time price data into the platform. The attacker used spoof tokens to manipulate pricing curves and distort reserve balances, making valuable assets appear undercollateralized and allowing the attacker to extract real tokens from the pools without contributing proportional value.

The root of the Cetus breach was a structural flaw in how the protocol managed pricing and pool logic. Cetus used an internal oracle system that depended on concentrated liquidity pool data to generate real-time price feeds. However, this mechanism introduced new risks, particularly in the “addLiquidity,” “removeLiquidity,” and “swap” functions within the smart contracts. These functions failed to properly validate inputs when interacting with assets that held little or no economic value, allowing the attacker to introduce spoof tokens and distort the automated calculations governing how much value could be added or removed.

Cetus moved quickly to contain the damage once the exploit was identified. Smart contract operations were paused around 4:00 AM PT on May 22 to prevent further outflows from the protocol. A public statement followed shortly after, acknowledging the incident and pledging a full investigation. The Sui Foundation, in coordination with validators and key partners, blacklisted the attacker’s addresses and froze approximately $162 million worth of stolen assets on the Sui network. Efforts to recover the remaining funds, estimated between $60 million and $98 million, have encountered challenges, with roughly $60 million to $63 million in USDC bridged out of Sui and converted into 21,938 ETH shortly after the exploit.

To encourage the return of the funds, Cetus has extended a $6 million white-hat bounty offer. The proposal targeted the converted ETH and included a firm condition: any attempt to launder or off-ramp the assets would void the offer. No response from the attacker has been made public as of now. Tracing efforts have involved multiple cybersecurity firms and regulatory bodies, with Inca Digital leading the negotiation process and forensic support from Hacken and PeckShield. The Sui Foundation has also coordinated with agencies to explore additional recovery and legal options.

Cetus has released a community update, disclosing that the affected funds consist of two parts: part of it is within Sui, while the other part is mainly bridged to the ecosystem in the form of ETH. The data recovery work of the Cetus protocol is actively in progress and is expected to take several hours. The aggregator service has resumed online operation, supporting exchanges through partners. It has been confirmed that the Cetus CLMM pool unaffected in this incident will resume operation once accurate holding data is fully restored. Cetus is actively engaging with the Sui Foundation and other community members to finalize key details of the recovery. Progress is being made on two fronts simultaneously: resolving the issue as soon as possible through white-hat negotiations and actively collecting clues and evidence to pursue fund recovery through legal channels. Cetus is simulating different recovery scenarios and designing technically feasible fund recovery and compensation plans. A protocol upgrade through PoS voting has been proposed to unlock and return most of the stolen funds currently frozen in the attacker's Sui wallet.