Cetus, the Largest Liquidity Provider on Sui, Hacked for $223 Million — Full Incident Recap
According to data from Cetus Protocol on X, the largest decentralized exchange (DEX) and liquidity provider on the Sui network, Cetus Protocol, was drained of $223 million worth of tokens in a clear exploit.
The protocol added that $162 million of the stolen funds have been "frozen," and it is currently working with the Sui Foundation to recover the remaining approximately $60 million.
Here’s a full recap from SuperEx on what happened over the past few days.
What is Cetus?
Cetus is a decentralized exchange (DEX) and liquidity protocol built on the Sui blockchain. Its official name is Cetus Protocol, but since its core function is to provide on-chain trading and liquidity, it is often referred to as the exchange on Sui—similar to Raydium on Solana or Uniswap on Ethereum.
According to Cetus’ official website, its mission is to “simplify trading for all users and assets” and to deliver “seamless trading, deep liquidity, and maximized returns” through powerful DeFi tools. Cetus is a leading DEX and liquidity infrastructure in the Sui ecosystem, offering features such as aggregated trading, CLMM (concentrated liquidity market making), intent-based trading, token issuance, and more.
Cetus is known for its low-latency on-chain operations, support for concentrated liquidity (similar to Uniswap V3), and integration with various DeFi components. It has also launched tools like a Launchpad, Zap, and one-click liquidity provision, which made it one of the most active DeFi protocols on Sui.
(Note: Technically, it’s a protocol, but in terms of UX, it operates like an exchange. Both descriptions are accurate.)
Prior to the exploit, Cetus had a TVL (Total Value Locked) of around $300 million, making it a top protocol within the Sui ecosystem.
Timeline of the Cetus Incident
▶ May 18, 23:50 (UTC)
On-chain analytics platform Cyvers issued an alert, stating that Cetus’ smart contract had encountered abnormal transactions. A “cross-pool arbitrage trade” appeared to have bypassed expected slippage protections.
▶ May 19, 00:10
The attacker executed a complex cross-pool transaction path, dismantling liquidity and performing arbitrage without restriction. Funds quickly flowed through multiple intermediary wallets, with the majority ending up in Tornado Cash.
▶ Early Morning, May 19
Cetus published an emergency announcement, stating it was investigating abnormal activity, and had paused several pools and the router contract to prevent further damage.
▶ Midday, May 19
Security firms PeckShield and SlowMist released preliminary analysis reports confirming that the attacker exploited a vulnerability in Cetus’ core contract involving the SwapCallback function, bypassing transaction validation and extracting funds from liquidity pools without cost.
▶ May 20
The team confirmed losses exceeding $223 million, with affected funds spanning multiple chains and pools. TVL on the Sui network dropped nearly 50% instantly.
Technical Analysis: What Actually Happened?
This wasn’t a “typical hack” — it was a “white-box style” exploit based on deep understanding of protocol logic.
The key vulnerability: the swapCallback function didn’t verify the identity of the caller.
The attacker forged data to build a chain-like transaction path, tricking the system into treating it as a normal user trade. In reality, it bypassed slippage and fund checks, achieving:
Swapping out assets from pools without depositing real tokens
Looping through multiple pools to perform arbitrage repeatedly
Draining funds and rapidly moving them out of the protocol
Detailed technical analysis has been published by multiple security firms, but the core issue was simple: Cetus failed to verify the caller in the callback function—a serious privilege control failure and a fundamental smart contract mistake.
This isn’t the first DeFi exploit, but the scale, speed, and impact range of this attack were stunning. From the attack path, to the project team’s response timeline, to the Sui ecosystem’s domino effect, this incident became a textbook example of a spiraling collapse.
Sui Froze the Funds — But Also Exposed “Super Admin” Concerns
Shortly after the exploit, Sui CPO @emanabio stated the funds were frozen and would be returned to the pool. The official Sui Twitter also posted that the Cetus team was tracing the path and would restore funds to the community shortly.
Notice anything? According to Sui’s Delegated Proof of Stake (DPoS) mechanism, a freeze operation should require a vote from the 150 validators, with over two-thirds consensus.
Previously, rumors claimed that 84% of the staking supply was controlled by the founding team, which Sui denied, stating that the Foundation plus core team controlled around 60%. However, this event clearly demonstrated the Foundation was able to instantly coordinate over 2/3 of validators, enabling the rapid freeze of hacker funds.
Some users speculated that statements from the Sui CPO and official Twitter suggested the presence of super admin privileges, capable of directly modifying asset ownership. This claim remains unverified, and we will refrain from further comment.
Who Was Hit the Hardest? Not Just Cetus
This was a protocol-level vulnerability, not a “custodial smart contract” issue. Victims include:
Liquidity providers (LPs): Their assets were directly drained from pools, causing severe losses
Projects relying on Cetus for liquidity: DApps, wallet tools, Zap features — all lost usable liquidity instantly
The entire Sui ecosystem: This event instantly wiped out over 50% of Sui’s TVL, dealing a major blow to investor confidence
In the aftermath, multiple teams announced they would suspend DeFi integrations and collaborations on Sui, and several new projects reportedly pivoted to Aptos or Base instead.
Final Thoughts: DeFi Can Fail — But Must Not Fail on the Basics
The Cetus exploit ranks among the top 10 most severe security incidents in DeFi history, and marks Sui’s first major protocol-level crisis.
This wasn't just a financial loss — it was a collapse of protocol-level trust.
Technical takeaway: Smart contract development must always prioritize permission and identity validation
Operational takeaway: Major protocols must establish emergency funds and user compensation mechanisms
Ecosystem takeaway: Public chains and project teams must collaborate on transparent audits and disclosures
Cetus’ TVL might recover, but lost trust is the hardest hole to patch in DeFi.
