On May 22, the Sui ecosystem's Cetus protocol experienced a sudden security incident, leading to a freeze of funds that became the focus of community concern. On May 24, Sui officials announced their support for an on-chain governance proposal initiated by Cetus to return the frozen funds through a protocol upgrade, but with two additional conditions: the officials would relinquish their voting rights and remain neutral, and Cetus would commit to using all financial resources to ensure full compensation for users.
On May 28, Cetus officials stated that they had the capability to fully compensate for the off-chain stolen assets, including key loans from the Sui Foundation, but this was contingent on the community voting to approve the protocol upgrade to unlock the frozen assets.
As a result, Cetus requested to initiate a community-led vote to recover the funds frozen during last week's attack. In response, the Sui Foundation agreed to assist in initiating a vote among Sui validator nodes, which represent the interests of their staked users and the entire network. Sui token holders and stakers can also participate directly in the vote through staking delegation.
Cetus's proposal is to execute a protocol upgrade that would recover all funds currently frozen in two hacker addresses without requiring hacker signatures. If the proposal passes, these funds will be transferred and held in a multi-signature escrow wallet until they can be returned to accounts that previously held positions in Cetus. The funds will be held in a wallet controlled by a 6-of-4 signature mechanism involving Cetus, the Sui Foundation, and the auditing firm OtterSec. A "yes" vote indicates support for transferring the frozen assets to this trust wallet and returning them to users in batches under a verification mechanism; a "no" vote means rejecting such a protocol upgrade.
Regardless of the voting outcome, Cetus stated that it would immediately initiate a recovery plan after the vote concludes, with a detailed plan to be announced soon.
As of the time of writing, the price of the CETUS token has surpassed $0.16, with a 24-hour increase of 27%. Whether Cetus's fund recovery plan can be implemented depends largely on the upcoming Sui community vote, given the positive market feedback and foundation endorsement.
The following is the version at the time of the article's initial release:
On the afternoon of May 22, the leading DEX liquidity protocol on the Sui chain, Cetus Protocol's token CETUS, suddenly experienced a significant drop, with prices nearly "crashing." Multiple token trading pairs on Cetus also saw sharp declines. Subsequently, many KOLs posted on X, indicating that the Cetus protocol's LP pool had been attacked by hackers.
On-chain monitoring indicated that the Cetus attacker seemed to control all LP pools priced in SUI, with the amount stolen exceeding $260 million as of the time of writing. The hacker has begun converting the funds to USDC and cross-chain transferring them to the Ethereum mainnet for exchange into ETH, with approximately $60 million in USDC already successfully transferred.
The hacker's on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. Currently, the main assets in this address are still primarily SUI and USDT, but mainstream Sui ecosystem tokens such as CETUS, WAL, and DEEP are also included, indicating the extensive scope of this hacker attack.
On the evening of the 22nd, a member of the Cetus team stated in the project's Discord chat that the Cetus protocol had not been hacked, but rather there was a "oracle bug." However, on-chain data does not lie; according to statistics, the losses in the Cetus protocol's LP pool exceeded $260 million within one hour of the theft incident, surpassing the protocol's TVL ($240 million) and market cap ($180 million).
On the morning of the 23rd, Cetus officials released an update on social media regarding the theft incident, stating that the team had identified the source of the vulnerability and fixed the related software packages, and had hired a professional anti-cybercrime organization to assist with fund tracking and negotiations regarding the safe return of funds. They are currently in discussions with law enforcement and are arranging further assistance.
Notably, the officials stated that they had confirmed the Ethereum wallet address controlled by the hacker from the attack earlier that day and had negotiated with them regarding the return of customer funds. They proposed to pay the outstanding balance in the name of a white-hat hacker, but time is limited. If the hacker accepts the terms, no further legal action will be taken.
Community Opinion Points to Team's "Theft History"
Interestingly, as Cetus triggered a crash in the SUI ecosystem, many community members pointed out on Twitter that Cetus was developed by the same team behind the previous Solana ecosystem DeFi protocol Crema Finance, which had also experienced a theft incident.
On July 3, 2022, Crema Finance was similarly attacked by hackers using a Solend flash loan, draining the LP fund pool and resulting in losses exceeding $8 million. Subsequently, on July 7, the hacker returned $7.6 million worth of stolen cryptocurrency after negotiating with the team. According to the negotiation agreement, the hacker was allowed to keep 45,455 SOL ($1.65 million) as a bounty.
Looking back at the Cetus theft incident, the protocol also suffered losses because the attacker controlled the LP pool, and the team proposed to negotiate with the hacker by offering to pay the outstanding balance in the name of a white-hat hacker. Currently, there is no public information proving that Crema and Cetus are indeed developed by the same team, but it appears that both share similarities in terms of the reasons for the theft and subsequent handling methods.
Sui Officials Freeze Hacker Transactions, "On-Chain Review" Actions Raise Centralization Concerns
According to DeFiLlama data, Cetus had previously been the leading DEX and liquidity hub in the Sui ecosystem, accounting for over 60% of the entire ecosystem's trading volume. This "liquidation-style" attack undoubtedly directly undermined the liquidity center of the ecosystem, which would be a devastating blow for any "second-tier public chain."
Since March of last year, the trading volume on the Sui ecosystem chain has shown an overall upward trend, with the prices of mainstream ecosystem tokens such as CETUS, DEEP, and WAL also soaring, widely regarded by the community as the public chain with the highest potential for returns in this cycle and the "next Solana."
However, interestingly, according to Dune data, there has been a significant amount of wash trading on the Sui chain, with the ecosystem's liquidity toxicity remaining close to 50% for a long time. This is part of the reason why the community has responded that the Sui ecosystem "has nothing, yet the price keeps rising."
Illustration: The radius of the circles in the image below shows the total trading volume of a single address, and it can be seen that the wallet with the highest trading volume also has a high trading frequency, indicating possible wash trading; data source: Dune Analytics
Nevertheless, Sui's "strong market maker" persona has been established in the minds of traders for a long time. In the past month, during the resurgence of altcoins, Sui has also been one of the best-performing mainstream public chains. In response to this major ecosystem theft, the foundation indeed did not disappoint, quickly providing a response that further reinforced its "strong market maker" persona.
On the evening of the 22nd, around 11 PM, Sui officials released a statement saying that to "protect the Sui ecosystem," a large number of Sui network validators had identified the hacker's address using the stolen funds and ignored transactions from these addresses. The CETUS team is also actively exploring ways to recover these funds and return them to the community, and will soon release an event report.
Upon hearing this news, the community erupted, with "public chain transaction review" becoming the biggest point of contention. Many users on X believe that Sui's response undermines its decentralized positioning, transforming Sui from a "public chain" into a "centralized permissioned database."
According to Sui's official documentation, transactions on the Sui network are divided into two categories: those involving "exclusive objects" and those involving "shared objects." Only transactions involving shared objects must enter a global consensus, while pure exclusive object transactions can take a "direct fast path," allowing execution without global ordering. As long as more than 2/3 of the total staked validators in the network are honest, the network can theoretically ensure both security (no double spending) and liveness (effective transactions will eventually be executed).
Under Sui's delegated PoS + BFT design, achieving continuous, indiscriminate transaction review would require joint control of more than 1/3 of the staked voting rights. Review by a single or few nodes can only cause temporary delays and is easily perceived as malicious behavior, leading to stakers "voting offline" in the next epoch. This is also emphasized in the official documentation regarding "resistance to censorship and openness." Clearly, the Sui Foundation controlled at least 1/3 of the staked voting rights in this hacker incident.
The controversy over "centralized public chains" began during the last cycle with Solana, and some community members have pointed out that "resistance to censorship" is not the attribute that current crypto investors care about the most. In a world still focused on returns and core objectives, perhaps "market manipulation" is seen as justice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
