Original author: Haotian, crypto researcher

Many people are puzzled. After the Sui official stated that @CetusProtocol was hacked, the validator network coordinated to "freeze" the hacker's address, recovering $160 million. How exactly did they do it? Is decentralization really a "lie"? Below, let's analyze it from a technical perspective:

· Part of the cross-chain bridge transfer: After the hacker successfully attacked, they immediately transferred some assets like USDC to Ethereum and other chains through a cross-chain bridge. This part of the funds is already unrecoverable because once it leaves the Sui ecosystem, the validators are powerless.

· Part still on the Sui chain: A considerable amount of the stolen funds is still stored in the Sui address controlled by the hacker. This part of the funds became the target of the "freeze."

So how was this achieved?

1. Transaction filtering at the validator level—simply put, the validators collectively "turned a blind eye":

- Validators directly ignored transactions from the hacker's address in the transaction pool (mempool);
- These transactions are technically completely valid, but they just won't be packed onto the chain;
- The hacker's funds were thus "soft locked" in the address;

2. Key mechanism of the Move object model—The object model of the Move language makes this "freeze" feasible:

- Transfers must be on-chain: Although the hacker controls a large amount of assets in the Sui address, to transfer these USDC, SUI, and other objects, a transaction must be initiated and packed by the validators;
- Validators hold the power of life and death: If validators refuse to pack, the objects can never move;
- Result: The hacker nominally "owns" these assets, but in reality, they have no way to access them.

It's like having a bank card, but all ATMs refuse to serve you. The money is on the card, but you can't withdraw it. With the continuous monitoring and interference of SUI validator nodes (ATMs), the SUI and other tokens in the hacker's address cannot circulate, and these stolen funds are now like they have been "destroyed," objectively playing a "deflationary" role.

Of course, in addition to the temporary coordination of validators, Sui may have preset a deny list function at the system level. If this is indeed the case, then the process might be: the relevant authority (such as the Sui Foundation or through governance) adds the hacker's address to the system deny_list, and validators execute based on this system rule, refusing to process transactions from blacklisted addresses.

Whether through temporary coordination or system rule execution, it requires a majority of validators to act in unison. Clearly, the power distribution of Sui's validator network is still too centralized, allowing a few nodes to control key decisions across the network. The issue of validator centralization in Sui is not unique to PoS chains—from Ethereum to BSC, most PoS networks face similar risks of validator concentration, but Sui has exposed the problem more clearly this time.

—— How can a network that claims to be decentralized have such strong centralized "freezing" capabilities?

What’s more concerning is that Sui officials stated they would return the frozen funds to the pool, but if the validators truly "refuse to pack transactions," these funds should theoretically never move. How did Sui manage to return them? This further challenges the decentralization characteristics of the Sui chain!

Could it be that, in addition to a few centralized validators refusing transactions, the officials even have super permissions at the system level to directly modify asset ownership? (Sui needs to provide further details on the "freeze") Before specific details are disclosed, it is necessary to discuss the trade-offs surrounding decentralization:

Emergency response interference, is sacrificing a bit of decentralization necessarily a bad thing? If faced with a hacker attack, is it what users want for the entire chain to do nothing?

What I want to say is that while everyone naturally does not want money to fall into the hands of hackers, this action raises greater market concerns: the freezing standards are completely "subjective": What counts as "stolen funds"? Who defines it? Where are the boundaries? Today it’s freezing hackers, who will it be tomorrow? Once this precedent is set, the core anti-censorship value of public chains will be completely undermined, inevitably causing damage to user trust. Decentralization is not black and white; Sui has chosen a specific balance point between user protection and decentralization. The key issue lies in the lack of a transparent governance mechanism and clear boundary standards. Most blockchain projects are currently making such trade-offs, but users have the right to know the truth, rather than being misled by the label of "complete decentralization."

Original link

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。