Cetus Protocol Suffers $260M Exploit: Sui Ecosystem Tokens Plunge Over 70%

On May 22, 2025, Cetus Protocol, a leading decentralized exchange (DEX) on the Sui blockchain, suffered a devastating exploit that resulted in the theft of over $223 million in assets. The attack, which targeted the platform’s liquidity pools, caused widespread disruption in the Sui ecosystem, leading to significant price drops for numerous tokens. Below is a comprehensive breakdown of the incident, including the timeline, technical details, and broader implications, based on on-chain analysis and official statements.

Incident Timeline and Details

• May 22, 2025, 3:30 AM PDT

    Abnormal transactions are detected on Cetus DEX. The attacker extracts approximately $11 million worth of SUI tokens from the SUI/USDC liquidity pool, nearly depleting the pool’s SUI reserves and leaving behind a large amount of USDC. This triggers a flash crash in related token prices.

• May 22, 2025, 3:58 AM PDT

    On-chain monitoring alerts are triggered, indicating a suspected attack on Cetus Protocol, Sui’s largest DEX. Multiple liquidity pools experience a drastic reduction in depth, and prices of various token trading pairs on the platform begin to plummet. The market quickly recognizes this as a major security incident.

• May 22, 2025, 4:10 AM PDT

    The attack’s impact spreads across the Sui ecosystem, causing severe token price drops. Tokens such as Hippo, WET, and LOFI fall by over 81%, 78%, and 76%, respectively, within a short period. The CETUS platform token drops by more than 52%. Most tokens lose over 75% of their value as liquidity is nearly drained.

  

• May 22, 2025, 4:33 PM PDT

    Further on-chain analysis reveals that the attacker has taken control of all SUI-denominated liquidity pools, with preliminary estimates of stolen funds exceeding $260 million. The attacker begins converting the stolen tokens into USDC stablecoins to cash out using the remaining liquidity.

• May 22, 2025, 4:39 PM PDT

    Cetus Protocol issues an urgent statement via its official X account, confirming the detection of an “incident.” For safety, the platform temporarily suspends its smart contracts, halting all trading and liquidity operations to prevent further losses. The team announces a full investigation and promises a detailed statement soon.

• May 22, 2025, 4:48 PM PDT

    Security analysts track the attacker’s actions over the past half hour, identifying two key steps:

    1) withdrawing all liquidity from multiple token pools,

    2) cross-chain transferring a large amount of USDC from the Sui mainnet to Ethereum. The attacker has not yet sold all stolen tokens, with price drops primarily driven by drained pools and market panic. The attacker accelerates the transfer of stolen assets out of the Sui network.

  

  

• May 22, 2025, 5:06 PM PDT

    On-chain monitoring data shows the attacker has converted approximately $57.66 million in USDC, transferred cross-chain to Ethereum, into 22,114 ETH at an average price of $2,652. This move, converting roughly $60 million in stablecoins into ETH, aims to evade tracking. The attacker continues to convert stolen assets into mainstream cryptocurrencies like ETH in batches, as stablecoins can be frozen while Ethereum cannot.

• May 22, 2025, 5:10 PM PDT

    SlowMist’s Chief Information Security Officer provides a preliminary analysis, suggesting the attack likely exploited a vulnerability in Cetus’ contract calculation precision. Errors in numerical precision or rounding during contract operations may have allowed the attacker to abnormally extract liquidity. Further technical details are pending official confirmation.

• May 22, 2025, 8:00 PM PDT

    Cetus confirms that the stolen asset market cap totaled roughly $223 million and freezes $162 million (73%) of the stolen funds by locking smart contracts. The attacker’s wallet (0xe28b50…e8ff06) holds $137 million, including 12.9 million SUI ($54 million); $61.5 million in USDC has been transferred to Ethereum.

• May 23, 2025, 7:46 AM PDT

    Investigation ongoing; no final report from Cetus. SlowMist confirms the attacker’s addresses on Sui and Ethereum, noting cross-chain transactions via Wormhole. Binance and Sui Network provide technical support.

Technical Details of the Exploit

While Cetus has not yet released a detailed technical investigation report, SlowMist’s initial assessment points to a vulnerability in the contract’s calculation precision. As a Move-based DEX, Cetus’ smart contracts may have precision or rounding errors during mathematical operations, such as handling liquidity shares or token amounts. The attacker exploited this flaw to bypass normal proportional limits, extracting far more assets than entitled. Such vulnerabilities, though rare in DeFi protocols, are highly destructive, allowing attackers to siphon assets from liquidity pools by exploiting miscalculated token quantities. SlowMist speculates that a minor error in precision calculations led to this significant loss, pending further official disclosure.

Additionally, some analysts have stated that the attack details are as follows: $223 million was drained through price oracle manipulation using counterfeit tokens (e.g., BULLA) and an integer overflow vulnerability in the get_amount_by_liquidity function (u256 to u64 conversion).

Stolen Amount and Asset Breakdown

The attack resulted in substantial losses, with on-chain tracking estimating the total stolen funds at over $260 million. Key assets stolen include:

• SUI Tokens: The attacker withdrew approximately 12.99 million SUI tokens, valued at around $54 million, making SUI one of the primary assets targeted. The removal of SUI left liquidity pools imbalanced, with only stablecoins remaining.

• USDC Stablecoin: After draining SUI, the attacker cashed out using the remaining USDC in the pools, with about $60 million in USDC cross-chain transferred to Ethereum and converted into ETH.

• Other Sui Ecosystem Tokens: Tokens such as Sui Name Service (NS), NAVI Protocol (NAVX), BlueMove (BLUE), and Scallop (SCA) were indirectly affected as their SUI trading pools were drained, rendering their liquidity nearly zero and causing significant value loss for holders. Cetus has not yet released a complete list of affected assets, but the attack impacted nearly all SUI-paired liquidity pools on the platform, with total losses exceeding $260 million.

Impact on Affected Projects and Token Price Volatility

The attack caused dramatic price volatility across Sui ecosystem tokens:

• CETUS Token: The CETUS token, central to the incident, saw its price plummet by about 50% within an hour, reaching a low of $0.1465, with a daily decline exceeding 40%. Approximately 13.84 million CETUS tokens were removed from liquidity, swapped for 670,000 SUI. Despite a slight rebound, the price remains far below pre-incident levels.

• SUI Token: The SUI token experienced a milder impact, with a short-term dip but limited overall decline due to broader market trading on centralized exchanges. Its price stabilized around $4.

• Other Ecosystem Tokens (SCA, NAVX, NS, BLUE): These tokens, heavily reliant on Cetus for SUI trading pairs, faced liquidity droughts and price crashes. Scallop (SCA) dropped below $0.15, a nearly 70% decline from its peak, while NAVX fell 10.7%, and NS and BLUE saw double-digit losses.

• Additional Projects (HIPPO, WET, LOFI): Smaller Sui ecosystem tokens like HIPPO, WET, and LOFI saw instant declines exceeding 70%, as their value was tied to Cetus’ liquidity, which was drained during the attack. The attack triggered a chain reaction in the Sui token market, with long-tail tokens suffering the most due to their dependence on Cetus’ liquidity.

Cetus’ Official Response and Mitigation Efforts

Cetus Protocol responded swiftly to the exploit, issuing a statement via its X account on May 22, 2025, at 5:43 PM PDT: “We have detected an incident in the protocol. For safety, our smart contracts have been temporarily paused. The team is investigating, and we will release a detailed statement soon.” This confirmed the hack and outlined emergency measures to secure user assets by suspending all trading and liquidity operations. By 8:00 PM PDT, Cetus had frozen $162 million (73%) of the stolen funds to prevent further losses.

The team has since partnered with on-chain security firms like SlowMist and PeckShield, as well as Sui Network and Binance, to track the attacker’s addresses and provide technical support. On May 22 at 8:00 PM PDT, Cetus announced it had identified the attacker’s Ethereum wallet, offered a time-sensitive whitehat settlement for the return of funds, and engaged law enforcement and anti-cybercrime organizations to assist in recovery efforts.

As of May 23, 2025, 8:37 AM PDT, the smart contracts remain paused with no resumption timeline, and the investigation is ongoing, with a post-mortem report planned to detail the attack, losses, and mitigation steps.