The Sui ecosystem has been rocked to its core by an exploit on the network’s largest decentralized exchange Cetus which has seen $200 million stolen from liquidity pools.
Notable Sui meme coins like Lofi (LOFI), Sudeng (HIPPO), and Squirtle (SQUIRT) tanked 76%, 80%, and 97% in just an hour. And the popular Cetus token dropped 53% over the same time frame. According to DEX Screener, 46 Sui tokens have made double digit losses over the past 24 hours.
“The attacker exploited vulnerabilities in Cetus Protocol's smart contracts by deploying spoof tokens to manipulate price curves and reserve calculations,” Deddy Lavid, CEO and co-founder of security firm Cyvers, told Decrypt. “This allowed them to extract real assets from multiple liquidity pools, including the SUI/USDC pool. The stolen funds are being converted into USDC and bridged to other chains.”
PeckShield estimates that approximately $200 million worth of assets were stolen due to this exploit. The attacker currently has $164 million sitting in a Sui wallet and has bridged $61.5 million worth of USDC onto Ethereum.
A SUI spokesperson declined to comment on the exploit when reached by Decrypt, instead referring to what the team had already shared publicly on X.
In response, Cetus paused its smart contracts to prevent any further losses. The exchange issued a statement on social media stating that an “incident” had been detected and that its team was investigating it.
Leaked Discord messages suggest that the Cetus team believe the exploit came as a result of a “bug” in its oracle. Users on social media seemed skeptical of this, but Cyvers told Decrypt the aforementioned exploit is called an “oracle manipulation attack.”
This is because the attackers were able to manipulate the oracle to misrepresent the price via the deployed spoof tokens.
The attacker has been moving funds using the USDC stablecoin. Circle has caught flak from industry experts, like on-chain sleuth ZachXBT, for its slow reaction in freezing funds related to hacks—taking more than five hours to block funds connected to the Bybit hack in February.
(And for what it’s worth, USDT issuer Tether has had similar complaints for its fund freeing process leaving a window for attackers to avoid the punishment.)
“We’ve repeatedly urged stablecoin issuers to act on our real-time alerts, yet many still choose to wait for post-mortem investigations,” Lavid said. “The pattern is clear: Action comes days too late, if it comes at all. In this threat environment, delay is indistinguishable from inaction.”
This situation is still developing with former Binance CEO Changpeng “CZ” Zhao claiming that his team are doing what they can to help Sui.
“Not a pleasant situation,” he wrote on X, formerly Twitter. “Hope everyone stay SAFU!”
Surprisingly, Sui’s price hasn’t been too badly affected by news of the exploit. The token has actually risen 2.2% over the past 24 hours, according to CoinGecko.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
