Sui shares details on $220M Cetus exploit, vows to step up security

Multiple rounds of prior audits did not catch the flaw, the DEX said

by Kate Irwin /
article-image

Patme Design/Shutterstock and Adobe modified by Blockworks

share

This is a segment from The Drop newsletter. To read full editions, subscribe.

We now know more about the bug that was exploited last week, resulting in over $220 million in frozen and stolen funds from the Sui-based DEX Cetus.

On Monday, Sui described the flaw as “a bug in a Cetus math library” and promised to commit $10 million to improving Sui’s security more broadly. That includes a bug bounty program, plus Sui-funded security audits for projects using the chain.

Newsletter

Subscribe to The Breakdown

Blockchain security firm Dedaub explained that the attack involved intentionally misconfiguring a liquidity pool with an “extremely high value.”

“This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token,” the firm wrote.

Image from Cetus detailing how the incident occurred.

As of May 26, Cetus said that the majority of the swiped crypto (roughly $162 million) remained frozen across two Sui wallets, while the rest of the stolen funds had already been converted to ETH by the attacker. 

“Cetus has been among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards. Unfortunately, reality does not always unfold as we wish,” Cetus said in its disclosure. “Multiple rounds of audits on the underlying contracts and the dependent open-source libraries — combined with their widespread and successful use by ecosystem developers — gave us a sense that we had done enough. In hindsight, we realize we allowed ourselves to relax our vigilance. This painful lesson has shown us: we must do more.”

The DEX further said last week it hasn’t heard from the hacker thus far.

Sui isn’t the only one that’s recently seen crypto swiped on its chain due to an exploit. On a much smaller scale, Cardex, a game on Abstract, had a flaw that resulted in at least $500,000 being siphoned from that app’s users earlier this year.

Being permissionless means more people can build in a chain’s ecosystem with less oversight, getting closer to financial decentralization, one of the original aims of crypto. 

But it also means a chain’s reputation can take a hit when some apps that use it are lacking on the security front — leading to headline-generating exploits and losses often in the millions.

“Security audits are inherently imperfect,” wrote BlockSec’s CCO, who goes by Orlando on X, in response to the incident. “In 2023, the entire crypto market spent $1 billion on security audits, yet $2 billion in assets were still stolen.”

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Permissionless IV Hackathon

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

learn more

recent research

Research Report Templates (19).png

Research

Suilend's Multi-Product DeFi Suite

Suilend has grown into the top money market and liquid staking provider on Sui. STEAMM, Suilend’s Superfluid AMM, presents a compelling avenue for growing market share within Sui’s DEX landscape and revenue generation for the protocol. Suilend’s multi-product suite position it well for owning market share across key verticals. While current metrics across the Sui ecosystem are likely inflated due to Sui Foundation incentive programs, SEND trades at amongst the lowest multiples in the lend/borrow sector, suggesting that a bull case for continued growth in the ecosystem may be mispriced.

by Luke Leasure

/

news

article-image

Supply ShockWeb3

Why the first Bitcoin billionaire in space sold bitcoin to do it

One small step for man, one giant leap for Bitcoin

by David Canellis /
article-image

BusinessEmpire Newsletter

Why an acquisition of Circle may be off the table as its IPO approaches

Jay Woods, Chief Global Strategist at Freedom Capital Markets, said it would be “very rare” for an acquisition to happen since the IPO may occur as soon as next week

by Katherine Ross /
article-image

Sponsored

Taking back control: M0 is rewiring money for a digital world

Money is one of the most consequential pieces of infrastructure, and M0 believes its architecture should serve builders, not extract from them

article-image

The Breakdown

The monetary power of the periphery: How Dallas defends the dollar

The financial backwaters they laughed at might be the only thing keeping the dollar afloat

by Byron Gilliam /
article-image

BusinessLightspeed Newsletter

Hyperliquid valued between layer-1 and perps DEX

The blockchain’s perpetual futures exchange is highly popular

by Jack Kubinec /
article-image

BusinessForward Guidance Newsletter

Nvidia earnings in the spotlight

The final company of the Magnificent 7 is set to report its Q1 earnings today after the close

by Casey Wagner /