Digital Assets Stolen Following Exploit on Sui-Based DEX Cetus
We now know more about the bug exploited last week, resulting in over $220 million in frozen and stolen funds from the Sui-based DEX Cetus.
On Monday, Sui described the flaw as “a bug in a Cetus math library” and promised to commit $10 million to improving Sui’s security more broadly. This includes a bug bounty program, plus Sui-funded security audits for projects using the chain.
Blockchain security firm Dedaub explained that the attack involved intentionally misconfiguring a liquidity pool with an “extremely high value.”
“This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token,” the firm wrote.
Image from Cetus detailing how the incident occurred.
As of May 26, Cetus stated that the majority of the swiped crypto (roughly $162 million) remained frozen across two Sui wallets, while the rest of the stolen funds had already been converted to ETH by the attacker.
“Cetus has been among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards. Unfortunately, reality does not always unfold as we wish,” the exchange stated in its disclosure. “Multiple rounds of audits… gave us a sense that we had done enough. In hindsight, we realize we allowed ourselves to relax our vigilance. This painful lesson has shown us: we must do more.”
Digital assets exchange Cetus noted last week that it hasn’t received contact from the hacker.
Sui isn’t the only chain recently seeing large crypto thefts stemming from exploits. On a much smaller scale, Cardex, a game on Abstract, had a flaw that resulted in at least $500,000 being siphoned from that app’s users earlier this year.
Proponents highlight permissionless development as key to financial decentralization, allowing more people to build in a chain’s ecosystem with less oversight. However, the same characteristic means a chain’s reputation can take a hit when apps built on it—despite their own safeguards—fall short, leading to headline-generating exploits and significant losses.
“Security audits are inherently imperfect,” wrote BlockSec’s CCO, who goes by Orlando on X. “In 2023, the entire crypto market spent $1 billion on security audits, yet $2 billion in assets were still stolen.”
