According to BlockBeats, Cetus has released a report detailing a sophisticated smart contract attack on its CLMM liquidity pool that occurred on May 22. The attack exploited an undiscovered vulnerability in an open-source library, allowing the attacker to manipulate pool prices and inject minimal tokens into inflated liquidity. This was followed by repeated asset extraction through unchecked calculation functions, resulting in the theft of funds.
In response, Cetus swiftly froze two Sui wallet addresses containing the majority of the stolen funds, with the support of most Sui validator nodes. The remaining stolen assets were exchanged and transferred cross-chain to the Ethereum mainnet.
Cetus is collaborating with the Sui security team and multiple auditing firms to review contracts and conduct a joint audit to ensure the safe resumption of CLMM services. The company plans to enhance on-chain monitoring, initiate additional audits, and regularly publish security reports. To compensate affected liquidity providers, Cetus is working with ecosystem partners to develop a recovery plan and is urging Sui validators to support on-chain voting to expedite asset returns and rebuild user confidence.
While legal proceedings are ongoing, Cetus has offered the attacker a chance to return the funds under a white hat arrangement and is preparing to issue a final ultimatum. Cetus will continue to provide transparent updates to the community as developments occur.
