Author: Token Dispatch, Thejaswini MA, Nameet Potnis, Prathik Desai
Compiled by: Block unicorn
Preface
Cryptocurrency is supposed to be free from centralized control—money that cannot be frozen or controlled by anyone.
Last week, Sui’s Cetus protocol suffered a $223 million attack, prompting the team to scramble to freeze $162 million in funds, but it also sparked a heated debate: If blockchain can suspend your funds, is cryptocurrency really as unstoppable as it claims?
Here’s how the latest crypto “decentralization” drama unfolded:
- How fake tokens wiped out $223 million in 10 minutes
- The controversial fund freeze incident: saving users but causing public outrage
- Why this team's second major hack feels familiar
- Sui's $10 million security overhaul (and why it might not be enough)
Ten minute breakdown
The morning of May 22 seemed like just another day for Sui, until something changed. Then, all hell broke loose.
Cetus Protocol, Sui’s largest decentralized exchange with a daily trading volume of over $200 million, lost $223 million in a matter of minutes. The attack was incredibly efficient.
Disaster breaks out instantly:
- The main meme coins LOFI, HIPPO and SQUIRT on the SUI chain plummeted by more than 75% within an hour.
- The native token of Cetus Protocol, $CETUS, has fallen 53% in the past four days.
Source: TradingView
The attack method? Simple but deadly.
Hackers deployed fake tokens to Cetus (essentially digital Monopoly currency) and exploited a vulnerability in Cetus’ smart contracts to trick the protocol into believing these worthless tokens had real value.
In short, “imagine you go to a toy exchange and bring some fake toys that look valuable but are actually worthless, and then you trade them for real toys and run away,” explained Manan Vora, head of cryptocurrency custody company Liminal.
Centralized Freeze
This is where the story starts to get controversial.
Within hours, Sui’s 114 validators — the nodes that run the network — collectively decided to freeze the hacker’s addresses. No vote. No governance proposal. Just like any governance decision made by a centralized institution. Do you see the irony?
The result? $162 million was saved. But at what cost? It angered all the advocates of decentralization.
Justin Bons of European cryptocurrency fund Cyber Capital led the opposition to the move.
Source: Twitter user- Justin_Bons
The data reveals the harsh truth:
- Sui's verification nodes: 114
- Ethereum’s verification nodes: over 1 million
- Solana’s validator nodes: 1,153
When 114 entities can coordinate to freeze funds, even for legitimate reasons, it raises uncomfortable questions about what “decentralization” really means.
A familiar defense
This isn't the first time Cetus has pulled off this kind of stunt - and that's not a compliment.
The same team ran Solana’s Crema Finance, an exchange that lost $9 million to hackers in July 2022. Their response? Offering the hackers $1.6 million to return the funds. The hackers eventually accepted the deal, but allegedly ended up in jail anyway (the details of the case match up, but have never been officially confirmed).
Now, facing an attack 25 times larger than the previous one, the Cetus team has resorted to the same old tricks and proposed a time-limited settlement:
- Plan: Return $217 million and retain $6 million
- Terms: No prosecution, no further inquiry
- Deadline: 48 hours, otherwise "legal action will be taken"
However, the crypto community is not buying it. One user summed it up: "Same team, same vulnerability, different blockchain. How many chances do they have?"
Crisis Control Mode
When the dust settled, the data painted a grim picture:
- Total value locked (TVL): from $2.1 billion to $1.7 billion (down 20%)
- SUI Token: Down about 15%
- Trading volume: All Sui decentralized exchanges collapsed
- User confidence: Comments on Twitter are merciless
Source: DefiLlama
Sui’s response is divided into two parts.
First, they pledged $10 million to conduct a comprehensive security overhaul:
- Strengthening smart contract auditing
- Improving the Bug Bounty Program
- Introducing formal verification tools
- Developer Security Training
- Open Source Security Libraries
Secondly, they announced a shift from "platform responsibility" to "shared responsibility." Translated, it means: we can't do everything, developers also have to take responsibility.
Noble? Yes. Enough? The market has the answer.
On Monday, the CETUS token rebounded 10%, going from a complete crash to just a major blow. But the technical challenges run much deeper than price issues.
This attack exposed fundamental problems:
- Insufficient liquidity: Violent price fluctuations are inevitable
- Oracle vulnerability: the culprit that triggered all this
- Cross-chain risk: Once funds flow into Ethereum, the game is over
Cetus has now patched the immediate vulnerability, but restoring confidence is not as easy as restoring code.
So what's their next step?
Our View
This hack is not just about stolen funds, it’s also about an identity crisis for cryptocurrency.
Decentralization paradox: Sui’s validator nodes saved $162 million through coordinated action, proving the effectiveness of the system. However, it also proved that 114 entities can effectively control a network of ecosystems that are supposed to be decentralized. This is not the censorship-resistant freedom that Satoshi or any decentralization advocates dreamed of. Instead, it is more like a community patrol with nuclear weapons. Is it effective? Yes. Is it decentralized? That is becoming a relative concept.
Competence questioned: When the same team suffers two major hacks with similar attack methods, it is no longer bad luck, but a pattern. The crypto industry has always been very tolerant of technical mistakes, but Cetus is challenging the bottom line of this tolerance. Their $6 million bounty may recover funds, but it cannot restore reputation. At a certain point, it is no longer acceptable to say "we will do better next time."
Maturity Test: Sui shows growth potential with his pledge of $10 million in security overhauls and a “shared responsibility” model. But this is reactive, not proactive. What matters is whether the blockchain network can quickly mature enough to handle institutional money. With total locked volume falling and trust wavering, Sui is no longer just fighting technical vulnerabilities; they are also fighting for their place in an increasingly competitive L1 landscape.
The one uncomfortable truth exposed by this hack? Perfect decentralization may be incompatible with user protection. Sui chose protection. Ethereum ultimately chose purity. Bitcoin never had to make that choice.
Sui is facing a critical decision: whether to conduct an on-chain vote to return the frozen funds. If this sounds familiar, it’s because Ethereum faced the same decision after the DAO hack in 2016. Their decision to fork still divides the community to this day.
Meanwhile, hackers still control over $60 million in funds on Ethereum. The Cetus bounty deadline is approaching. Will they take the $6 million and run, or risk it all?
The industry is watching Sui’s next move. For now, the “code is law” extremists are losing out to the “users want their money back” pragmatists.
