When liquidity attracts attackers: What went fallacious on Cetus?

On Might 22, 2025, Cetus Protocol, the first decentralized alternate (DEX) on the Sui blockchain, suffered a major hack, marking one of many largest decentralized finance (DeFi) breaches in cryptocurrency historical past. 

An attacker exploited Cetus’ pricing mechanism flaw, stealing roughly $260 million in digital belongings. This incident considerably impacted the Sui group, inflicting the Sui (SUI) token value to drop by about 15% to $3.81 by Might 29.

The Cetus DEX facilitates environment friendly token trading and liquidity provision throughout the Sui ecosystem. The platform’s speedy progress made it a major goal for attackers. In keeping with DefiLlama, commerce quantity on Cetus DEX grew from 182.47 million between Oct. 1 and 31, 2023, to 7.152 billion between Jan. 1 and 31, 2025. 

A beforehand undetected error within the code of Cetus DEX allowed the exploit, enabling the theft of hundreds of thousands. This occasion highlights the continued challenges of guaranteeing strong safety in quickly increasing DeFi ecosystems, even with vital efforts to prioritize security.

Do you know? DEX hacks can crash complete ecosystems. When Mango Markets was exploited for $114 million in 2022, its governance token plummeted by over 50%, and confidence in Solana’s DeFi ecosystem was shaken for weeks.

How Cetus DEX was exploited: A step-by-step breakdown

Cetus fell sufferer to a calculated assault that mixed value manipulation, faux token injections and crosschain laundering. 

Under is a step-by-step breakdown of how the attacker bypassed safeguards and drained liquidity swimming pools utilizing a flaw in Cetus’s inner pricing system:

• Flash mortgage: The attacker, utilizing pockets deal with 0xe28b50, took out a flash loan to entry fast funds with out collateral, enabling swift transaction execution.
• Insertion of fraudulent tokens: Faux tokens, reminiscent of BULLA, which lack real liquidity, have been launched into varied Cetus liquidity pools, disrupting the value feed mechanism for token swaps.
• Worth curve distortion: These counterfeit tokens misled the interior pricing system, skewing reserve calculations and creating synthetic value benefits for professional belongings like SUI and USDC (USDC).
• Liquidity pool exploitation: By exploiting the pricing vulnerability, the attacker drained 46 liquidity pairs, exchanging nugatory tokens for beneficial belongings at manipulated, favorable charges.
• Crosschain fund switch: A fraction of the stolen belongings, about $60 million in USDC, was transferred to the Ethereum network, the place the attacker transformed them into 21,938 Ether (ETH) at a mean value of $2,658 per ETH.
• Market penalties: The assault induced a major decline in token costs throughout the Sui ecosystem. CETUS dropped over 40%, with some tokens falling by as much as 99%. The total value locked (TVL) had decreased by $210 million by Might 29, indicating the reputational loss suffered by the DEX.

Here’s a determine illustrating how the attacker’s motion resulted in sure contract reactions, resulting in the siphoning of funds:

Timeline of the Cetus DEX exploit

A coordinated exploit on Cetus DEX unfolded over eight hours, triggering emergency shutdowns, contract freezes and a validator-led response to dam the attacker’s addresses.

Here’s a timeline of how the Cetus DEX exploit:

• 10:30:50 UTC: The exploit begins with uncommon transactions.
• 10:40:00 UTC: Monitoring programs detect irregular exercise in liquidity swimming pools.
• 10:53:00 UTC: The Cetus staff identifies the assault supply and notifies Sui ecosystem members.
• 10:57:47 UTC: Core CLMM swimming pools are shut right down to cease additional losses.
• 11:20:00 UTC: All associated sensible contracts are disabled throughout the system.
• 12:50:00 UTC: Sui validators start voting to dam transactions from the attacker’s addresses; as soon as votes exceed 33% of the stake, these addresses are successfully frozen.
• 18:04:07 UTC: This hyperlink sends an onchain negotiation message to the attacker.
• 18:15:28 UTC: The susceptible contract is up to date and stuck, although not but reactivated.

Why audits failed to stop the Cetus DEX exploit

Regardless of a number of smart contract audits and safety opinions, hackers have been capable of detect the flaw in Cetus and benefit from it. The vulnerability lay in a math library and a flawed pricing mechanism, points that managed to slide previous a number of audits.

In its autopsy, Cetus admitted that it was relaxed in its method relating to vigilance because the previous successes and widespread adoption of audited libraries had created a false sense of safety. The incident underscores a broader trade downside about audits, which, although important, will not be foolproof. 

In keeping with BlockSec’s chief business officer, lively as Orlando on X, the crypto trade spent over $1 billion on safety audits in 2023, but greater than $2 billion was nonetheless stolen by way of varied hacks and exploits. Audits can detect identified threat patterns however usually fail to anticipate novel, inventive assault vectors. The Cetus hack serves as a reminder that ongoing monitoring, code opinions and layered safety practices are essential, even for well-audited protocols.

Do you know? In 2021, the Poly Community hack was one of many largest DeFi exploits ever, with over $600 million stolen. Surprisingly, the hacker returned a lot of the funds, claiming it was only for “enjoyable” and to reveal safety flaws. The occasion sparked debates on ethics and white hat hacking in DeFi.

Restoration and compensation plan of the Cetus DEX

After the hack, the Cetus staff suspended its smart contract operations to stop additional losses. Subsequently, the Sui group rapidly launched a structured restoration and compensation technique. 

On Might 29, Sui validators approved a governance vote to switch $162 million in frozen belongings to a Cetus-managed multisig wallet, beginning the method of reimbursing affected customers. The frozen funds will likely be held in belief till they are often returned to customers. The governance vote had 90.9% voting in favor (sure), 1.5% abstaining (engaged however impartial) and seven.2% not taking part (inactive).

On Might 30, Cetus DEX posted its restoration roadmap on X:

1. Protocol improve: Sui validators will implement a community improve to switch frozen funds to Cetus’s multisig belief. The multisig is managed by Cetus, OtterSec and the Sui Basis as keyholders (executed on Might 31).
2. CLMM contract improve: The upgraded CLMM (concentrated liquidity market maker) contract enabling emergency pool restoration has been accomplished and is at the moment present process an exterior audit.
3. Knowledge restoration: Cetus will restore historic pool information and calculate liquidity losses for every affected pool.
4. Asset conversions and deposits: On account of quite a few swaps executed by the attacker in the course of the exploit, many recovered belongings have deviated from their unique kinds. Cetus will carry out essential conversions utilizing minimal-impact methods, aiming to keep away from main swaps or extreme slippage and guarantee honest and environment friendly pool rebalancing.
5. Compensation contract: A devoted compensation contract is underneath improvement and will likely be submitted for audit previous to deployment.
6. Peripheral product upgrades: Related modules are being upgraded to make sure full compatibility with the brand new CLMM contract, supporting a easy relaunch.
7. Full protocol restart: Core product features will resume. Liquidity suppliers (LPs) in affected swimming pools will regain entry to recovered liquidity, with any remaining losses lined by the compensation contract. Unaffected swimming pools will proceed with out interruption.
8. Service restoration: Cetus will change into totally operational.

Cetus plans to restart the protocol inside per week. As soon as lively, affected liquidity suppliers will entry recovered funds, with any remaining losses lined by way of the compensation system.

Do you know? Crosschain bridges are frequent weak factors in DEX hacks. Attackers exploit them to rapidly transfer stolen belongings throughout networks, making restoration extra sophisticated. Hacks involving bridges accounted for over 50% of stolen crypto worth in 2022.

Classes discovered from the Cetus DEX exploit

The Cetus DEX exploit uncovered vital vulnerabilities that transcend a single protocol, providing beneficial insights for the broader DeFi group. 

As decentralized platforms proceed to develop in complexity and scale, this incident highlights key areas the place the ecosystem should evolve to raised safeguard consumer funds and preserve belief:

• Dangers of open-source dependencies: The Cetus hack highlights the dangers of over-reliance on open-source libraries. Whereas these instruments velocity up improvement and encourage collaboration, they will include hidden flaws, as seen within the math library exploited on this assault. A number of audits didn’t detect this vulnerability, displaying that audits alone are inadequate.
• Want for layered safety: A strong protection technique is vital to guard towards new exploits. This consists of steady code monitoring, real-time detection of surprising exercise and automated circuit breakers to halt suspicious transactions.
• Decentralization vs. security debate: The incident factors out the significance of balancing decentralization with consumer security. Validator actions, reminiscent of freezing and recovering belongings, have been essential in sustaining the belief of customers, however they elevate questions in regards to the extent of centralized management in a decentralized system.
• Name for proactive safety: The hack emphasizes the necessity for adaptive safety measures in DeFi. Protocols should prioritize consumer safety by way of proactive methods that transcend primary compliance, guaranteeing resilience towards evolving threats.