Devastating Cetus DEX Exploit: How $260M Vanished on Sui Blockchain

The world of decentralized finance (DeFi) can offer incredible opportunities, but it also harbors significant risks. A stark reminder of this came on May 22, 2025, with the devastating Cetus DEX exploit on the Sui blockchain. This incident saw hundreds of millions of dollars stolen in minutes, sending shockwaves through the Sui ecosystem and highlighting critical challenges in crypto security.

What Went Wrong: Understanding the Cetus DEX Exploit

Cetus Protocol, a major decentralized exchange on Sui, became the target of one of the largest DeFi breaches in history. An attacker exploited a specific flaw within Cetus’s pricing mechanism, leading to the theft of roughly $260 million in digital assets. This attack significantly impacted the Sui community, causing the SUI token price to drop notably.

Cetus DEX had seen rapid growth, making it an attractive target. According to data, its trade volume surged dramatically from late 2023 to early 2025. This growth, while positive, also meant more liquidity for attackers to target.

The root cause was identified as a previously undetected error in the Cetus DEX code, specifically involving a math library and the internal pricing system. This vulnerability allowed the attacker to manipulate asset values and drain liquidity pools. The event underscores the persistent difficulties in ensuring robust security within rapidly expanding DeFi ecosystems, even when security is prioritized.

How the Attack Unfolded: A Step-by-Step Breakdown

The Cetus DEX exploit was a calculated assault. Here’s how the attacker bypassed safeguards and drained liquidity pools using a flaw in Cetus’s internal pricing system:

• Flash Loan: The attacker, using a specific wallet address, initiated the attack with a flash loan. This allowed them to access substantial funds instantly without needing upfront collateral, enabling rapid transaction execution.
• Fraudulent Token Injection: Fake tokens lacking genuine liquidity were introduced into various Cetus liquidity pools. This action disrupted the price feed mechanism used for token swaps.
• Price Curve Distortion: The counterfeit tokens misled the internal pricing system. They skewed reserve calculations, creating artificial price advantages for legitimate assets like SUI and USDC.
• Liquidity Pool Exploitation: By leveraging this pricing vulnerability, the attacker drained 46 liquidity pairs. They exchanged worthless tokens for valuable assets at manipulated, favorable rates.
• Crosschain Fund Transfer: A portion of the stolen assets, about $60 million in USDC, was moved to the Ethereum network. Here, the attacker converted them into Ether.

The immediate consequence was a sharp decline in token prices across the Sui ecosystem. The CETUS token dropped significantly, and the total value locked (TVL) on the DEX decreased by $210 million, reflecting the financial and reputational loss.

Timeline of the Cetus DEX Exploit

The coordinated exploit unfolded over several hours, prompting emergency responses from the Cetus team and Sui validators. Here’s a brief timeline:

• 10:30:50 UTC: Unusual transactions begin, marking the start of the exploit.
• 10:40:00 UTC: Monitoring systems detect irregular activity in liquidity pools.
• 10:53:00 UTC: The Cetus team identifies the attack source and alerts the Sui ecosystem.
• 10:57:47 UTC: Core liquidity pools are shut down to stop further losses.
• 11:20:00 UTC: All related smart contracts across the system are disabled.
• 12:50:00 UTC: Sui validators start voting to block the attacker’s addresses, effectively freezing them once votes exceed 33% of the stake.
• 18:04:07 UTC: An onchain message for negotiation is sent to the attacker.
• 18:15:28 UTC: The vulnerable contract is updated and fixed, pending reactivation.

Why Did Audits Fail to Prevent This Smart Contract Vulnerability?

A crucial question arising from the Cetus DEX exploit is why security audits didn’t catch the flaw. Despite multiple smart contract audits and security reviews, the specific vulnerability – located in a math library and a flawed pricing mechanism – went undetected. Cetus admitted in its post-mortem analysis that prior successes and the use of audited libraries might have led to a false sense of security.

This incident highlights a broader issue in the industry: audits are essential but not a complete safeguard. While billions are spent on security audits annually, billions are still lost to hacks. Audits are good at identifying known risks but often struggle to anticipate novel attack vectors.

The Cetus hack serves as a clear reminder that continuous monitoring, rigorous code reviews, and layered security practices are necessary, even for protocols that have undergone audits.

Recovery Efforts and Compensation Plan

Following the DeFi hack, the Cetus team suspended operations to prevent further losses. The Sui community responded quickly, initiating a structured recovery and compensation strategy. Sui validators approved a governance vote to transfer $162 million in frozen assets from the attacker’s addresses to a Cetus-managed multisig wallet. These funds will be held in trust to reimburse affected users.

Cetus outlined its recovery roadmap, which includes:

• Protocol Upgrade: Implementing a network upgrade to transfer frozen funds to a multisig wallet controlled by Cetus, OtterSec, and the Sui Foundation.
• Contract Upgrade: Completing and auditing an upgraded contract enabling emergency pool recovery.
• Data Restoration: Restoring historical pool data to calculate individual liquidity losses.
• Asset Conversions: Performing necessary conversions of recovered assets that were swapped by the attacker, using minimal-impact strategies.
• Compensation Contract: Developing a dedicated contract for compensation, which will be audited before deployment.
• Peripheral Product Upgrades: Ensuring associated modules are compatible with the new contract.
• Full Protocol Restart: Resuming core functions, allowing affected liquidity providers access to recovered funds, with remaining losses covered by the compensation contract.

Cetus aims to restart the protocol shortly, ensuring that affected users are compensated for their losses.

Lessons Learned for Crypto Security

The Cetus DEX exploit exposed critical vulnerabilities, offering valuable insights for the broader DeFi community. As decentralized platforms grow in complexity, this incident highlights key areas for improvement:

• Risks of Open-Source Dependencies: Over-reliance on open-source libraries can be risky if hidden flaws exist, as seen with the exploited math library. Audits alone are insufficient.
• Need for Layered Security: Robust defense requires continuous code monitoring, real-time detection of unusual activity, and automatic circuit breakers.
• Balancing Decentralization and Safety: Validator actions to freeze and recover assets were crucial but raise questions about centralized control within a decentralized system.
• Proactive Security Measures: Protocols must prioritize user protection through strategies that go beyond basic compliance, building resilience against evolving threats.

The Cetus DEX exploit is a sober reminder that security in DeFi is an ongoing battle. While audits and security reviews are vital, they must be complemented by continuous vigilance, layered defenses, and a proactive approach to identifying and mitigating risks. The incident on the Sui blockchain serves as a case study for the entire industry on the importance of hardening systems against complex and novel attack vectors.