Cetus Protocol, a decentralized exchange (DEX) operating on the Sui Network, has suspended its smart contract operations after a serious security breach.
The platform confirmed the exploit on May 22 through its official X account, noting that the shutdown was necessary to prevent further fund loss, stating,
“🚨Alert Announcement 🚨
There was an incident detected on our protocol and our smart contract has been paused temporarily for safety. The team is investigating the incident at the moment. A further investigation statement will be made soon. We are grateful for your patience.”
Blockchain analytics firm Lookonchain revealed that the attacker drained over $260 million from the protocol. The stolen assets are reportedly being swapped into USDC and bridged to Ethereum, where they are exchanged for ETH.
Lookonchain reported that approximately $60 million in USDC had already been transferred across chains at the time of reporting.
Data from DeFiLlama supports this, showing a steep drop in the platform’s total value locked (TVL), which fell by more than $200 million to around $75 million.
Meanwhile, Cetus Protocol’s native token, CETUS, plunged over 24% to $0.15 as of press time, according to CryptoSlate’s data.
The exploit also triggered a broader selloff in the Sui ecosystem, with seven out of 11 Sui-based tokens tracked by CryptoSlate registering losses of around 5% or more.
Rosco Kalis, the founder of Revoke Cash, pointed out:
“The stolen funds mostly belonged to the LPs of the DEX. But this also caused a lot of Sui token prices to crash, affected normal users as well. The SUI token itself seems to be holding up relatively fine so far though, only down slightly for the day.”
How Cetus was exploited
Early analysis suggests the exploit may be linked to a flaw in the protocol’s pricing mechanism.
Alex Horlan, CTO of web3 security firm HackenProof, explained that the attacker likely used a near-zero liquidity injection to manipulate the pools’ internal state. This allowed them to extract valuable SUI and USDC tokens without contributing real assets.
He added that the team needs to:
“Check the math behind addLiquidity, removeLiquidity, and swap functions — especially where they Compute token ratios, Round small values, and Handle tokens with decimals = 0.”
Earlier today, a member of the Cetus team posted to Discord that the platform was “not hacked, we’ve detected a bug in the oracle.” The general consensus among Crypto Twitter now appears to support oracle manipulation as the cause of the exploit.
Cetus Protocol employs a dual approach to oracles within its ecosystem:
Internal oracle via concentrated liquidity pools: Cetus’s concentrated liquidity pools serve as an on-chain oracle by providing real-time liquidity data and historical price information. This mechanism allows external developers and platforms to access accurate market data derived directly from actual trading activities, reducing reliance on off-chain data sources, and is supposed to minimize risks associated with oracle manipulation.
Integration with Pyth Network: Cetus also contributes its decentralized exchange (DEX) price data to the Pyth Network, a decentralized oracle solution.
As of press time, Pyth Network has not commented on the incident, so it is unclear whether the pricing issue originated from the on-chain oracles or Pyth.
Despite the unsavory incident, the project has received support from the broader crypto community. Binance founder and former CEO Changpeng Zhao noted that his team has reached out to help Cetus resolve the situation.
Mentioned in this article
Be the first to comment