Cetus Protocol, the largest decentralised exchange (DEX) on the Sui blockchain, has lost at least US $223 million after attackers drained multiple liquidity pools in the early hours of 22 May. On-chain data shows a rapid series of withdrawals that emptied key token pairs in minutes, sending shock-waves through the young Sui ecosystem. CointelegraphBleepingComputer
How the exploit unfolded
Security analysts say the attacker deployed spoof tokens and manipulated the DEX’s pricing oracle, tricking pool contracts into releasing real assets while accepting worthless imitations. The exploit, which some researchers liken to last year’s Curve “fake-token” incident, leveraged an un-patched overflow vulnerability buried in Cetus’ concentrated-liquidity maths. Medium
Asset flight and cross-chain laundering
Within an hour the hacker bridged tens of millions in USDC and wrapped tokens from Sui to Ethereum, swapping portions to ETH to obfuscate the trail. Blockchain-forensics firm Elliptic tracks more than US $60 million already routed through cross-chain bridges, while Sui validators succeeded in freezing roughly US $160 million still on-chain—an emergency move that has reignited debate over decentralisation on Sui. elliptic.coCointelegraph
Immediate response
Cetus paused its smart-contract router, opened an incident channel on X, and offered the attacker a “time-sensitive white-hat settlement.” Simultaneously, it posted a US $5 million bounty for information leading to the hacker’s identification, and confirmed that law-enforcement agencies are now involved. BleepingComputer
Market fallout
The exploit battered token prices across the network. CETUS fell 35 % in a single day, SUI slid 15 %, and thin-liquidity meme coins lost more than 90 %. DeFi apps Scallop and Bluefin halted borrowing and swaps to curb contagion, while USDC briefly de-pegged on Sui as liquidity evaporated. CointelegraphMedium
Wider implications
The incident is now the second-largest DeFi hack of 2025 and the biggest to hit a Layer-1 other than Ethereum. Observers warn it could slow developer migration to Sui just as the chain was gaining traction, and may push users back toward battle-tested ecosystems. Security engineers argue that the swift validator freeze shows Sui can act decisively in crises—but critics counter that such intervention undermines claims of censorship-resistance. CryptoSlateMedium
What’s next?
For now, Cetus and the Sui Foundation are coordinating with exchanges to blacklist the exploiter’s wallets while negotiating the return of funds. A full post-mortem, including third-party audits of every Cetus smart-contract package, is promised “within weeks.” In the meantime, users are urged to revoke approvals and remain vigilant; the dust has yet to settle on what may prove a watershed moment for Sui—and a stark reminder of DeFi’s unfinished business with security.