Sui Drops 5.77% After $223M Cetus Protocol Exploit

Sui's latest price was $3.63, down 5.774% in the last 24 hours. The cryptocurrency Sui has recently been in the spotlight due to a significant security breach involving its decentralized exchange, Cetus Protocol. On May 22, an attacker exploited a flaw in Cetus' pricing mechanism, resulting in the extraction of $223 million in tokens. This exploit was made possible by a vulnerability in the smart contracts, which allowed the attacker to manipulate the system and drain funds. In response to the incident, Cetus immediately paused all smart-contract activity and coordinated with cybersecurity firm Inca Digital to offer a $5 million reward for information leading to the arrest of the attacker. The reward is funded by the Sui Foundation and is contingent on the tip proving decisive. Informants are required to email the perpetrator’s name, location, and supporting proof with the subject “Cetus lead.” The DEX also stated that it would withdraw any civil action and cancel the bounty should the exploiter return the assets and accept the earlier settlement proposal.

The offer comes amid centralization concerns regarding Sui following the freezing of $162 million by many of its 114 validators. Hours before the public bounty, Cetus used an on-chain transaction to deliver a separate proposal to the attacker on Sui and Ethereum blockchains. That note offered a $6 million retention fee, equivalent to 2,324 ETH, in exchange for the return of 20,920 ETH and all frozen amounts on Sui. The team said it had mapped the exploiter’s Ethereum wallets and was coordinating with US federal authorities, the Seychelles Police Force, selected defense-sector partners, major exchanges, and bridge operators. The ultimatum warned that any attempt to launder funds would trigger a global law-enforcement escalation.

According to its block explorer, Sui hosts 114 active validators. On May 22, Sui stated that a broad plurality agreed to reject any transaction originating from the attacker’s wallets shortly after the breach. The collective freeze prevented the remaining $162 million transfer and locked the tokens on-chain. Gautham Santhosh, co-founder of Polynomialfi, wrote on X that the crypto community is now weighing the benefit of rapid asset protection against the implication that validators can suspend specific accounts at will. Although he highlighted that the process demanded consensus and was not arbitrary, the episode has changed the security assumptions regarding layer-1 blockchains.

Sui’s largest decentralized exchange, Cetus, was exploited on May 22 for over $220 million — the most severe DeFi incident in the network’s short history. It raised difficult questions about validator power, decentralization and reactive governance. The attacker exploited faulty math in Cetus’ smart contracts by using spoofed tokens and miscalculated liquidity ratios. By injecting near-zero value assets into pools and then withdrawing large amounts of real tokens like SUI and USDC, the exploiter drained about $223 million before the protocol was paused. As Mysten Labs co-founder Adeniyi Abiodun clarified in an X space, “it’s not a bug in Sui consensus, it’s not a bug in Move,” thus isolating the issue to Cetus’ application logic.

But the response drew nearly as much attention as the attack itself. In coordination with the Sui Foundation, validators quickly updated a configuration file in the code powering the network, tailored to reject transactions from the attacker’s wallet. This off-chain coordination didn’t require a vote or protocol-level upgrade, but has resulted in $160 million in stolen assets being frozen. A brief GitHub pull request from Mysten Labs proposed going a step further: adding an “allow list” feature to execute a pre-chosen “recovery” transaction that would bypass signature checks. The PR was withdrawn within hours after community backlash, and validators have so far limited their action to censorship, not confiscation.

Still, the episode has reopened a fundamental debate about decentralization: Should a blockchain’s validators ever freeze or seize funds, even in cases of clear theft? Critics argue that such ad hoc measures threaten Sui’s credibility as a decentralized base layer. “Taking a heavily opinionated stance to censor due to a third-party app exploit is a slippery slope,” warned Blockworks Advisory’s David Rodriguez. Others pointed out the danger of setting a precedent that could be abused in future incidents — or compelled by regulators. Without onchain checks or governance processes, any validator coordination hinges entirely on informal consensus and the economic gravity of Sui Foundation signals. After all, validators require a 30 million SUI bond, so strong suggestions from on high might well be the same as “a $114m gun pointing at their heads.”

The incident also exposed broader risk beyond Cetus. According to security firm Verichains, three other major Sui protocols — Kriya, FlowX and Turbo Finance — were previously vulnerable to the same math flaw exploited from the latest attack. While Kriya and FlowX patched their contracts, Verichains warned that Turbo Finance still contains the vulnerable code, albeit not actively in use. “Dead code is not safe code,” Verichains mused. Verichains’ findings reinforce the idea that while Move-based smart contracts and VM offer stronger technical primitives, in practice, security still depends on shared libraries, developer diligence and tooling maturity. Looking ahead, several developers and researchers have called for a formal, transparent policy on validator powers and emergency responses. Aave governance lead Marc Zeller expressed the view that the centralized powers on display would make DeFi protocols wary, writing “[you] can be sure Aave will never deploy on Sui.” Sui may have preserved some value this time (the hacker still exfiltrated some $60 million), but its long-term reputation will depend on whether it can set clear limits — and build credible neutrality — into the system itself.