Sui Blockchain's Cetus protocol suffers $200 million exploit

The Sui blockchain ecosystem has experienced a significant security breach affecting Cetus Protocol, its largest decentralized exchange (DEX) and liquidity provider. The attack occurred on Thursday 22nd of May 2025, and resulted in the theft of over $200 million in digital assets. Cetus Protocol has confirmed the incident and implemented security measures to prevent further damage.

The attack leveraged "spoof tokens" to manipulate Cetus Protocol's internal price curves and liquidity reserve calculations. Security experts have characterized this as a "price oracle manipulation attack," where attackers exploit vulnerabilities in the mechanism that feeds external price data to smart contracts:

1. A price oracle is a service that provides external data to a blockchain or smart contract. In the context of decentralized finance (DeFi), price oracles specifically deliver real-time price information for various assets
2. The attacker created special "spoof tokens" - essentially counterfeit digital coins designed to trick the system.
3. The attacker added these fake tokens to a liquidity pool (a collection of tokens used for trading) alongside a tiny amount of legitimate tokens like SUI or USDC.
4. By structuring their deposits in a specific way, the attacker fooled the protocol's price oracle into believing these fake tokens had significant value, when in reality they were worthless.
5. With the price oracle now showing inflated values, the protocol incorrectly calculated how many real tokens the attacker should receive in exchange.
6. The attacker could then withdraw genuine SUI tokens and USDC stablecoins from the liquidity pools based on the manipulated prices, essentially exchanging worthless fake tokens for valuable real ones.
7. By repeating this process across multiple liquidity pools, the attacker was able to drain approximately $200 million in genuine assets before the protocol team detected and halted the exploit.

On-chain analysis indicates the attacker's wallet remains active, holding millions in SUI tokens. A significant portion of the stolen USDC has already been transferred to other blockchain networks, with an effort to obscure the stolen funds and evade recovery attempts, like money laundering for cryptocurrency

The attack resulted in the theft of various digital assets from Cetus Protocol liquidity pools:

• SUI tokens (native token of the Sui blockchain)
• USDC (USD Coin stablecoin)
• Various liquidity pool tokens
• Other unspecified digital assets from affected pools

The vulnerability that caused this exploit and the number of affected users is not disclosed.

The protocol immediately paused its smart contracts to prevent further asset drainage and engaged with the broader Sui ecosystem for assistance. In an update shared earlier today, the Cetus team outlined several critical response measures:

The team has successfully identified and patched the root cause of the vulnerability, sharing this information with other ecosystem builders to prevent similar exploits elsewhere in the Sui ecosystem. They have engaged professional anti-cybercrime organizations for specialized support in fund tracing and potential negotiations with the attacker. Additionally, Cetus is now working with law enforcement agencies to arrange further assistance in the investigation and potential asset recovery.