This article will be updated with new developments.
On May 22, Cetus Protocol, the largest decentralized exchange on the SUI blockchain, suffered an exploit that resulted in over $260 million being drained from its liquidity pools. The team responded by pausing all smart contract operations and initiating an internal investigation. Trading on the platform has been suspended as the investigation continues.
According to the official statement from Cetus, the team detected an anomaly and paused the contracts as a precautionary measure. SUI, the network supporting Cetus, confirmed the incident and stated it is assisting in the ongoing investigation.
Major updates to this article:
• May 22, 15:20 UTC: New Cetus Protocol statement
• May 23, 15:00 UTC: Information about bounty
• May 23, 22:00 UTC: Proposal for Community Vote
• May 25: Major update from Cetus team – we’ve covered it here.
• May 26: Cetus released full incident report – we’ve covered it here.
Table of Contents
Technical Details
Initial reports suggested the issue was related to a bug in Cetus’ oracle system. The attacker reportedly exploited the pricing mechanism by using spoof tokens to manipulate liquidity pool values. This allowed the attacker to withdraw large amounts of real assets – primarily SUI and USDC – while supplying tokens with no actual value.
Blockchain analytics firm LookOnChain identified wallet activity consistent with a coordinated exploit. The attacker is believed to have converted significant portions of the stolen funds into USDC and bridged them to Ethereum, where they are being exchanged for ETH. Approximately $60 million in USDC had been moved across chains at the time of reporting.
Protocol Response and Recovery Efforts
Following initial assessments, Cetus Protocol released a new statement confirming that approximately $223 million in assets were stolen during the exploit. The team reported taking immediate action to lock the affected smart contract, halting further losses. Of the compromised funds, $162 million has since been successfully paused, meaning these assets are currently frozen and cannot be moved by the attacker.
Cetus is now collaborating with the Sui Foundation and other ecosystem partners to explore recovery options for the remaining funds. According to the update, the majority of the stolen assets are under control, and efforts are ongoing to recover the remainder. A full incident report was released on May 26.
Ongoing Investigation and Recovery Efforts
Cetus Protocol has provided a further update outlining its recent actions following the $223 million exploit. In addition to locking the affected smart contract and pausing $162 million of compromised funds, the team has coordinated with the broader SUI ecosystem, including the Sui Foundation and third-party security experts, to trace stolen assets and identify the attacker.
According to the statement, Cetus has now identified the Ethereum wallet address connected to the incident and has extended a whitehat settlement offer to the hacker. This includes terms for the safe return of the remaining funds in exchange for immunity from legal action. The offer is time-sensitive and has been communicated both on-chain and through public channels.
The team confirmed that the root cause of the exploit has been identified and addressed. A fix has already been implemented and shared with other ecosystem developers to prevent similar incidents. Cetus has also engaged with cybercrime professionals and law enforcement agencies to support ongoing fund tracing and recovery efforts.
Bounty Announced for Information Leading to Hacker’s Identification
Cetus Protocol has later issued a new update stating that it has not received any response from the attacker following its earlier whitehat settlement offer. As a result, the team – supported by Inca Digital and financially backed by the Sui Foundation – has announced a $5 million bounty for information that leads to the successful identification and arrest of those responsible for the exploit.
Cetus reiterated that should the attacker accept the previously extended settlement offer and return the remaining funds, no legal action will be pursued, and the bounty initiative would be withdrawn. The primary focus remains on securing the return of user assets and achieving a resolution to the incident.
Proposal for Community Vote on Recovery of Frozen Funds
Cetus Protocol has shared a new development in its ongoing response to the recent $223 million exploit. While efforts continue to recover the $60 million in stolen assets currently in motion – led by Inca Digital, cybersecurity firms, and international law enforcement – the team has proposed a potential solution for the $162 million that remains frozen.
Cetus is asking the SUI community to consider a protocol upgrade that would enable the return of the frozen funds to affected users. This decision, the team emphasized, cannot be made unilaterally. Instead, they are proposing an on-chain governance vote that would involve validators, major network participants, and SUI stakers.
The outcome of the vote would determine whether or not the upgrade is implemented. Cetus has stated its commitment to respecting the community’s decision and will collaborate with Sui validators and the Sui Foundation to work out the technical and procedural details for the proposed vote.
Impact on Markets
The immediate impact of the exploit was a steep drop in token prices associated with the Cetus Protocol and the broader SUI ecosystem. The CETUS token fell from $0.25 to $0.18, briefly dipping to $0.15. Other ecosystem tokens saw declines of up to 90%. DEX trading activity across SUI was severely disrupted, with many liquidity pools fully drained and swaps failing due to insufficient reserves.
Despite the exploit, the SUI token itself remained relatively stable on centralized exchanges. It fell briefly to $3.80 but recovered quickly. This occurred while broader crypto markets were performing strongly, with Bitcoin reaching a new all-time high.
Community and Industry Response
Cetus issued a public message thanking users for their patience and confirmed that no further activity would resume until the investigation is complete. Binance founder Changpeng Zhao (CZ) stated that he reached out to offer help and that multiple security teams are reviewing the incident. According to CZ, the Cetus team has been responsive and is cooperating with external efforts.
More developments: Cetus Releases Full Incident Report After The Exploit
