On May 22, 2025, the decentralized finance (DeFi) world was shaken by one of its largest security breaches—a $223 million exploit targeting Cetus Protocol, the leading decentralized exchange (DEX) on the Sui blockchain. The attack not only drained liquidity pools but also exposed critical vulnerabilities in blockchain infrastructure and raised serious questions about decentralization. What makes this incident particularly noteworthy is its connection to Aptos—another blockchain using the Move programming language—where similar vulnerabilities had been previously identified.
## The Attack: How It Unfolded
The exploit began in the early hours of May 22 when blockchain monitors detected irregular movements in Cetus Protocol's SUI/USDC liquidity pool. Initially, reports suggested an $11 million outflow , but the scale quickly expanded as investigators discovered the attacker had manipulated the protocol's pricing mechanism to drain approximately $223 million across multiple pools .
The attacker exploited a critical overflow flaw in Cetus's automated market maker (AMM) logic. By depositing a single token, the protocol mistakenly credited them with an enormous liquidity position due to a miscalculation that truncated oversized values rather than rejecting them . This allowed the hacker to:
- Mint spoof tokens (like BULLA) with little to no real liquidity
- Skew internal pool metrics to make valuable assets appear undercollateralized
- Extract real SUI and USDC tokens at artificially favorable rates
- Bridge approximately $63 million to Ethereum and convert it to ETH
## The Aptos Connection: A Vulnerability Foretold
What makes this breach particularly troubling is that it wasn't entirely unexpected. Blockchain security firm Ottersec had flagged a similar vulnerability during an audit of Cetus Protocol's codebase when it was deployed on Aptos in early 2023 . Despite this warning:
- The issue persisted when the code was ported to Sui
- Attempted safeguards failed to properly address the overflow check flaw
- The same type of exploit became possible on Sui
This isn't the first major security incident involving the Move programming language used by both Sui and Aptos. In November 2024, Aptos' Thala money market lost $25 million to an exploit , demonstrating that language-level security features don't eliminate protocol-level vulnerabilities.
## Aftermath and Ecosystem Impact
The immediate consequences were severe:
- Token prices collapsed: CETUS dropped 40% initially (with partial recovery to -19%) , while SUI fell from $4.19 to $3.62 (14%)
- Memecoins crashed: Tokens like LOFI, HIPPO, and MEMEFI lost 51-97% of their value
- TVL plummeted: Sui's total value locked dropped from $2.13 billion to $1.92 billion
- Trading halted: Major Sui DEXs like Bluefin and Momentum paused operations
The Sui Foundation coordinated with validators to freeze about $162 million of stolen funds , while Cetus offered a $5-6 million bounty for information leading to the attacker's identification .
## Decentralization Debate
The freeze operation sparked intense debate about Sui's decentralization claims:
- Validators coordinated to ignore transactions from the attacker's addresses
- This required consensus from over two-thirds of validators—achieved remarkably quickly
- Critics argue this demonstrates excessive validator control
- Supporters view it as necessary protection for a young network
## Lessons for the Blockchain Ecosystem
The Cetus hack offers several critical lessons:
1. Audit findings must be addressed comprehensively: Vulnerabilities identified on one chain (Aptos) can resurface on another (Sui)
2. Economic design flaws transcend language security: Move's "secure by default" features didn't prevent this protocol-level exploit
3. Oracle manipulation remains a top threat: Internal price feeds need robust validation
4. Emergency response plans are essential: The partial fund recovery shows value in coordinated action
5. Decentralization claims face real-world tests: Asset freezing capabilities conflict with "code is law" ideals
As investigations continue and the Sui community debates potential network upgrades to recover frozen funds , this incident serves as a stark reminder that blockchain security requires constant vigilance—across all layers of the technology stack and across all chains sharing similar architectures.
