Cetus Protocol has published its full incident report following the May 22 exploit that targeted its CLMM (concentrated liquidity market maker) pools and resulted in approximately $223 million in losses. The report provides a comprehensive account of the attack timeline, technical root cause, status of the stolen funds, and next steps for recovery and restoration.
Table of Contents
Timeline and Response
According to the report, the exploit began at 10:30 UTC and was detected within ten minutes by internal monitoring systems. The team quickly escalated the situation to Sui ecosystem partners and disabled core CLMM pools by 10:57 UTC. By 11:20, all affected smart contracts were paused. Sui validators coordinated to freeze the attacker’s wallets at approximately 12:50 UTC. An official on-chain message was sent to the attacker later that evening.
Read also: $260 Million Exploit Forces SUI’s Cetus Protocol to Halt Operations
Technical Root Cause
The report identifies the root cause of the exploit as a vulnerability in the open-source library used by the CLMM contract. Specifically, a flaw in the overflow checks allowed the attacker to inject exaggerated liquidity values with minimal token input. This made it possible to drain assets across multiple remove operations.
The attacker used a series of flash swaps to manipulate pool pricing and bypass safeguards. Cetus clarified that a previously mentioned issue flagged in past audits was unrelated to this exploit.
Fund Status and Frozen Assets
Two Sui wallet addresses linked to the attacker were frozen with the help of validators. These contain the bulk of the stolen funds – approximately $162 million. The remaining funds were converted to ETH and moved to two Ethereum wallets.
Efforts to recover the off-chain assets are ongoing, including legal investigations and outreach to the attacker. A whitehat settlement offer remains open, with the goal of reclaiming user funds without legal escalation.
Security Plans and Protocol Recovery
Cetus is now undergoing a thorough re-audit of the patched smart contracts, working with the Sui security team and third-party auditors. A phased reactivation of CLMM pools will only occur after the reviews are complete. The team has also committed to more frequent audits tied to TVL milestones and improved real-time monitoring.
Restoration of liquidity and compensation for liquidity providers is also in progress. A protocol upgrade proposal requiring a network-wide vote has been introduced to allow users to reclaim frozen funds. Validators and SUI stakers will have the final say on whether to proceed.
Looking Forward
Cetus outlined a number of measures aimed at strengthening future protocol security, including expanded bug bounty programs, enhanced risk controls, and public code coverage reporting. The team acknowledged that prior audits created a false sense of security and emphasized the need for ecosystem-wide collaboration to build more resilient infrastructure.
In addition to technical and governance initiatives, Cetus will host a public Twitter Space later this week. The session will cover ongoing recovery efforts, plans for returning funds, and provide an opportunity for the community to ask questions directly. The specific time of the event is supposed to be announced shortly.
Read also: Coinbase Refuses Ransom After Insider Breach Hits <1% of Users
