Sui validators are voting on a proposal that, if passed, will forcibly unlock and return a large chunk of funds siphoned in a May 22 exploit on Cetus.
The move — which would reverse the exploit that allowed an attacker to syphon $220 million from the blockchain’s decentralised exchange aggregator — is stirring debate.
That’s because the action raises questions about the balance between decentralisation and necessary intervention in blockchain governance.
The manoeuvre effectively involves hacking the hacker, which some critics say erodes the trustless nature of blockchain networks as it requires a reliance on centralised decision-making.
The vote
Sui network participants froze $160 million following the attack, but the funds are still in the attacker’s wallets.
Data from the voting page shows 52% support for returning the funds. While the vote officially ends on June 3, participants can trigger an early close of the polls on May 29.
Trends are signalling the vote will pass. If it does, the network can trigger an upgrade to override the attacker’s control of their wallets and remove the syphoned funds from their possession.
The funds will be transferred to a multi-signature wallet controlled by Cetus, the Sui Foundation, and blockchain security outfit OtterSec.
The proposal is part of a larger remediation plan to compensate users affected by last week’s malicious exploit.
The recovered funds will also be supplemented by Cetus’s treasury and a loan from the Sui Foundation to make affected traders whole.
Last week’s attack on Cetus drained liquidity from the protocol and sent the prices of many Sui-based tokens tumbling, including Lofi, which crashed 76%, and Hippo, which slumped 81%.
Both tokens are still down 26% and 6%, respectively, in the last week.
Precedent
It’s not the first time a protocol has hit back against a malicious actor to recover funds. Tapioca DAO used a counter-exploit to recover $2.7 million worth of Ethereum from a hacker in October.
Still, others say it sets a bad precedent and network participants will be forced to act similarly in future instances, even if the losses were due to poor security of the affected protocols.
In Cetus’ case, the attacker exploited simple maths errors in the protocol’s smart contract code that allowed them to drain its liquidity using fake tokens.
The attacker was able to launder $60 million from the attack before the network froze the remainder of the funds.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Contact him at [email protected].
