When liquidity attracts attackers: What went wrong on Cetus?
On May 22, 2025, Cetus Protocol, the primary decentralized exchange (DEX) on the Sui blockchain, suffered a major hack, marking one of the largest decentralized finance (DeFi) breaches in cryptocurrency history.
An attacker exploited Cetus’ pricing mechanism flaw, stealing approximately $260 million in digital assets. This incident significantly impacted the Sui community, causing the Sui (SUI) token price to drop by about 15% to $3.81 by May 29.
The Cetus DEX facilitates efficient token trading and liquidity provision within the Sui ecosystem. The platform’s rapid growth made it a prime target for attackers. According to DefiLlama, trade volume on Cetus DEX grew from 182.47 million between Oct. 1 and 31, 2023, to 7.152 billion between Jan. 1 and 31, 2025.
A previously undetected error in the code of Cetus DEX allowed the exploit, enabling the theft of millions. This event highlights the ongoing challenges of ensuring robust security in rapidly expanding DeFi ecosystems, even with significant efforts to prioritize safety.
Did you know? DEX hacks can crash entire ecosystems. When Mango Markets was exploited for $114 million in 2022, its governance token plummeted by over 50%, and confidence in Solana’s DeFi ecosystem was shaken for weeks.
How Cetus DEX was exploited: A step-by-step breakdown
Cetus fell victim to a calculated assault that combined price manipulation, fake token injections and crosschain laundering.
Below is a step-by-step breakdown of how the attacker bypassed safeguards and drained liquidity pools using a flaw in Cetus’s internal pricing system:
- Flash loan: The attacker, using wallet address 0xe28b50, took out a flash loan to access immediate funds without collateral, enabling swift transaction execution.
- Insertion of fraudulent tokens: Fake tokens, such as BULLA, which lack genuine liquidity, were introduced into various Cetus liquidity pools, disrupting the price feed mechanism for token swaps.
- Price curve distortion: These counterfeit tokens misled the internal pricing system, skewing reserve calculations and creating artificial price advantages for legitimate assets like SUI and USDC (USDC).
- Liquidity pool exploitation: By exploiting the pricing vulnerability, the attacker drained 46 liquidity pairs, exchanging worthless tokens for valuable assets at manipulated, favorable rates.
- Crosschain fund transfer: A fraction of the stolen assets, about $60 million in USDC, was transferred to the Ethereum network, where the attacker converted them into 21,938 Ether (ETH) at an average price of $2,658 per ETH.
- Market consequences: The attack caused a significant decline in token prices across the Sui ecosystem. CETUS dropped over 40%, with some tokens falling by up to 99%. The total value locked (TVL) had decreased by $210 million by May 29, indicating the reputational loss suffered by the DEX.
Here is a figure illustrating how the attacker’s action resulted in certain contract reactions, leading to the siphoning of funds:
Timeline of the Cetus DEX exploit
A coordinated exploit on Cetus DEX unfolded over eight hours, triggering emergency shutdowns, contract freezes and a validator-led response to block the attacker’s addresses.
Here is a timeline of how the Cetus DEX exploit:
- 10:30:50 UTC: The exploit starts with unusual transactions.
- 10:40:00 UTC: Monitoring systems detect irregular activity in liquidity pools.
- 10:53:00 UTC: The Cetus team identifies the attack source and notifies Sui ecosystem members.
- 10:57:47 UTC: Core CLMM pools are shut down to stop further losses.
- 11:20:00 UTC: All related smart contracts are disabled across the system.
- 12:50:00 UTC: Sui validators begin voting to block transactions from the attacker’s addresses; once votes exceed 33% of the stake, these addresses are effectively frozen.
- 18:04:07 UTC: This link sends an onchain negotiation message to the attacker.
- 18:15:28 UTC: The vulnerable contract is updated and fixed, though not yet reactivated.
Why audits failed to prevent the Cetus DEX exploit
Despite multiple smart contract audits and security reviews, hackers were able to detect the flaw in Cetus and take advantage of it. The vulnerability lay in a math library and a flawed pricing mechanism, issues that managed to slip past several audits.
In its post-mortem, Cetus admitted that it was relaxed in its approach regarding vigilance as the past successes and widespread adoption of audited libraries had created a false sense of security. The incident underscores a broader industry problem about audits, which, though essential, are not foolproof.
According to BlockSec’s chief commercial officer, active as Orlando on X, the crypto industry spent over $1 billion on security audits in 2023, yet more than $2 billion was still stolen through various hacks and exploits. Audits can detect known risk patterns but often fail to anticipate novel, creative attack vectors. The Cetus hack serves as a reminder that ongoing monitoring, code reviews and layered security practices are crucial, even for well-audited protocols.
Did you know? In 2021, the Poly Network hack was one of the biggest DeFi exploits ever, with over $600 million stolen. Surprisingly, the hacker returned most of the funds, claiming it was just for “fun” and to expose security flaws. The event sparked debates on ethics and white hat hacking in DeFi.
Recovery and compensation plan of the Cetus DEX
After the hack, the Cetus team suspended its smart contract operations to prevent further losses. Subsequently, the Sui community quickly launched a structured recovery and compensation strategy.
On May 29, Sui validators approved a governance vote to transfer $162 million in frozen assets to a Cetus-managed multisig wallet, starting the process of reimbursing affected users. The frozen funds will be held in trust until they can be returned to users. The governance vote had 90.9% voting in favor (yes), 1.5% abstaining (engaged but neutral) and 7.2% not participating (inactive).
On May 30, Cetus DEX posted its recovery roadmap on X:
- Protocol upgrade: Sui validators will implement a network upgrade to transfer frozen funds to Cetus’s multisig trust. The multisig is controlled by Cetus, OtterSec and the Sui Foundation as keyholders (executed on May 31).
- CLMM contract upgrade: The upgraded CLMM (concentrated liquidity market maker) contract enabling emergency pool recovery has been completed and is currently undergoing an external audit.
- Data restoration: Cetus will restore historical pool data and calculate liquidity losses for each affected pool.
- Asset conversions and deposits: Due to numerous swaps executed by the attacker during the exploit, many recovered assets have deviated from their original forms. Cetus will perform necessary conversions using minimal-impact strategies, aiming to avoid major swaps or excessive slippage and ensure fair and efficient pool rebalancing.
- Compensation contract: A dedicated compensation contract is under development and will be submitted for audit prior to deployment.
- Peripheral product upgrades: Associated modules are being upgraded to ensure full compatibility with the new CLMM contract, supporting a smooth relaunch.
- Full protocol restart: Core product functions will resume. Liquidity providers (LPs) in affected pools will regain access to recovered liquidity, with any remaining losses covered by the compensation contract. Unaffected pools will continue without interruption.
- Service restoration: Cetus will become fully operational.
Cetus plans to restart the protocol within a week. Once active, affected liquidity providers will access recovered funds, with any remaining losses covered through the compensation system.
Did you know? Crosschain bridges are frequent weak points in DEX hacks. Attackers exploit them to quickly move stolen assets across networks, making recovery more complicated. Hacks involving bridges accounted for over 50% of stolen crypto value in 2022.
Lessons learned from the Cetus DEX exploit
The Cetus DEX exploit exposed critical vulnerabilities that go beyond a single protocol, offering valuable insights for the broader DeFi community.
As decentralized platforms continue to grow in complexity and scale, this incident highlights key areas where the ecosystem must evolve to better safeguard user funds and maintain trust:
- Risks of open-source dependencies: The Cetus hack highlights the risks of over-reliance on open-source libraries. While these tools speed up development and encourage collaboration, they can contain hidden flaws, as seen in the math library exploited in this attack. Multiple audits failed to detect this vulnerability, showing that audits alone are insufficient.
- Need for layered security: A robust defense strategy is critical to protect against new exploits. This includes continuous code monitoring, real-time detection of unusual activity and automatic circuit breakers to halt suspicious transactions.
- Decentralization vs. safety debate: The incident points out the importance of balancing decentralization with user safety. Validator actions, such as freezing and recovering assets, were crucial in maintaining the trust of users, but they raise questions about the extent of centralized control in a decentralized system.
- Call for proactive security: The hack emphasizes the need for adaptive security measures in DeFi. Protocols must prioritize user protection through proactive strategies that go beyond basic compliance, ensuring resilience against evolving threats.
