"Preface"
On May 22, the leading DEX protocol Cetus in the Sui ecosystem was attacked by hackers, with vulnerabilities in the core protocol contract allowing attackers to extract a large amount of assets. The incident quickly attracted widespread attention, affecting not only related users but also prompting multiple Sui projects to enter emergency response mode.
However, what followed was not a chain rollback or superuser intervention, but a rapid initiation of: validator voting, proactive project shutdown, asset freezing on-chain, protocol self-check upgrades… The entire process constituted a real-life exercise in on-chain financial security governance.
As of the time of writing this article, five days have passed since this hacking incident occurred, which has had a wide impact and sparked fervent discussions in the community about 'on-chain security,' 'decentralized governance,' and 'protocol emergency responses.'
This article attempts to clarify: what exactly happened? Where does the responsibility lie? How did the Sui ecosystem respond? What can we learn from this?
❓ How did the attack happen?
The attack occurred on May 22, 2025, targeting the CLMM liquidity pool of Cetus. The attacker discovered a vulnerability in the contract and leveraged it to extract assets through constructed transactions over multiple rounds of operations.
The specific process is as follows:
Around 10:30 UTC, the attack began. The hacker lowered the pool price through abnormal transactions while opening high-priced liquidity positions and exploited contract logic vulnerabilities to inject a large amount of 'fake' liquidity with a minimal number of tokens.
Then, the hacker repeatedly executed 'add/remove liquidity', extracting actual assets from the pool.
The attack lasted about 20 minutes, and some monitoring systems began to sound alarms.
40 minutes after the attack occurred
10:40 UTC, the monitoring system of Cetus detected abnormal pool behavior.
10:53 UTC, the Cetus team confirmed the source of the attack and reported the information to other projects in the Sui ecosystem.
10:57 UTC, Cetus immediately shut down the core liquidity pool to prevent further losses.
11:20 UTC, all related contracts were fully disabled.
The response was quick, but the hacker had already stolen a large amount of funds.
❓ How was the hacker's funds frozen?
After the incident escalated, the ecosystem initiated a broader emergency response:
Sui validators quickly began on-chain collaboration, voting on whether to refuse to package transactions from the hacker's address;
After reaching the 33% staking threshold, the hacker's address was effectively frozen, and transactions could no longer be processed on-chain.
This is neither a system rollback nor backend intervention, but an operation made by validators through consensus mechanisms. The state of the chain was not changed, user transactions were not tampered with, and everything was completed based on existing on-chain rules.
The so-called 'system rollback' refers to returning the entire blockchain network state to a certain moment before the attack occurred, as if time were flowing backward. This usually means that confirmed transactions will be erased and the chain's history will be rewritten. 'Backend intervention' refers to direct control of nodes or funds by a centralized power (such as the project party or foundation) to bypass normal processes for decision-making.
In this incident, none of these situations occurred. The validators implemented the freeze through public voting and autonomous decision-making based on on-chain rules, which is precisely the embodiment of decentralized governance.
❓ What is the current status of the funds?
The data released by Cetus is as follows:
The hacker stole approximately $230 million in assets;
Among them, $160 million in assets is still trapped in two frozen Sui addresses and is no longer transferable;
$60 million in assets has been cross-chain transferred to Ethereum, with two known addresses still being tracked.
The protocol is promoting community voting to determine how to proceed with asset return and compensation.
❓ Why did this happen? Is it an issue with the chain itself? Or an application layer vulnerability?
According to reports from Slow Fog and analyses from tech experts, they point to one issue: the root cause of the incident lies in the problems with the open-source code logic used in the Cetus contract. The attacker exploited a mistake related to data overflow checks in the application layer contract, which, if discovered and fixed earlier, would not have resulted in losses. Therefore, it is not a vulnerability of the Move programming language itself.
Equally important is that the Sui network itself was not attacked, nor were there systemic risks.
This is a standard 'protocol layer security incident', not a chain layer security issue.
❓ After the attack, how did other projects in the Sui ecosystem respond?
After Cetus went offline, multiple projects on Sui began security self-checks. We observed that the Momentum protocol also suspended trading immediately after the attack, completed a full chain code audit and risk assessment, and resumed operations after the stolen funds were frozen.
As the leading Dex in the Sui ecosystem, the Momentum protocol immediately halted trading and worked with the Sui Foundation to block the stolen funds to prevent the hacker from spreading them through Dex trading to more trading asset accounts. At the same time, a thorough self-check was conducted, and after confirming that the self-check results were correct and the stolen funds were successfully frozen by the Sui Foundation, trading functionality was restored first.
❓ What happens next after the incident?
Currently:
Cetus has completed core vulnerability fixes and is reviewing code with the audit team;
A user compensation plan is being formulated, partially dependent on ecosystem governance proposal voting decisions;
Other Sui projects have also gradually resumed operations or are completing security hardening.
The entire ecosystem did not shut down; rather, it systematically reviewed its security mechanisms after the incident.
❓ What does this incident teach us?
This attack on Cetus has made all builders and users face a reality check:
What exactly does protocol security rely on?
The answer is becoming increasingly clear:
It relies on the collective wisdom brought by decentralization, not using decentralization as an excuse for inaction;
It relies on continuous systemic investment, not just one or two audit reports;
It's not just about remedying after the fact, but relying on regular preparations and mechanism construction;
It's about each participant being willing to take responsibility and act proactively, rather than passing the problem off to the 'chain' or 'technology.'
We see that while the hacker did cause losses, they did not destroy the system;
It also shows that decentralization is not about hiding behind rules and watching coldly, but about spontaneously coming together to maintain the bottom line and protect users.
"Conclusion"
True decentralization is not a slogan, but a responsibility.
In this storm, there are no saviors.
Sui validators voted to freeze risky transactions; other protocols completed security self-checks, with some quickly resuming operations; users also continued to pay attention and push for improvements.
Decentralization is not about laissez-faire but about collaboration with boundaries, principles, and accountability.
In a system without a backend, trust must be upheld by every line of code, every mechanism, and every decision.
This incident is a crisis, an exam, and a mirror.
It tells us:
Decentralization is not the goal but a method aimed at building trust; decentralization brings collective wisdom.
While decentralization is important, capital efficiency and protocol security are even more crucial.
Decentralization is a path, the goal is to build trust; decentralization brings collective wisdom.
