On the afternoon of May 22, the token CETUS of the leading DEX liquidity protocol Cetus Protocol on Sui Chain suddenly fell sharply, and the price almost "dropped", and multiple token trading pairs on Cetus also experienced a sharp decline. Subsequently, many KOLs posted on X that the Cetus protocol LP pool was attacked by hackers.
According to on-chain monitoring, the Cetus attacker appears to have controlled all LP pools denominated in SUI, and as of the time of writing, the amount of theft has exceeded $260 million. Currently, the hacker has begun to convert funds into USDC and cross-chain to the Ethereum mainnet to exchange for ETH. About 60 million USDC has completed cross-chain transfers.
The hacker's on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. Currently, the main assets in this address are still SUI and USDT, but mainstream Sui ecological tokens such as CETUS, WAL, and DEEP are also included, which shows that the scope of this hacker attack is extremely wide.
On the evening of the 22nd, a member of the Cetus team said in the project Discord group chat that the Cetus protocol was not stolen, but a "oracle bug" appeared. But the on-chain data does not lie. According to statistics, the loss of the Cetus protocol LP pool exceeded US$260 million within 1 hour after the theft, exceeding the protocol TVL (US$240 million) and market value (US$180 million).
On the morning of the 23rd, Cetus officially released the latest progress of the theft on social media, saying that the team has found the root cause of the vulnerability and fixed the relevant software packages, and hired a professional anti-cybercrime organization to support our fund tracking and negotiations on the safe return of funds. We are currently negotiating with law enforcement agencies and arranging further assistance.
It is worth noting that the official said that it has confirmed the Ethereum wallet address controlled by the hacker in the attack earlier today, and has negotiated with him on the return of customer funds. It has been proposed to pay the outstanding balance in the name of the white hat hacker, but the time is limited. If the hacker accepts the terms, no further legal action will be taken.
Community opinion points out that the team has a history of theft
Interestingly, when Cetus caused the SUI ecosystem to plummet, many community members also pointed out on Twitter that Cetus and the previous Solana ecosystem DeFi protocol Crema Finance were developed by the same team, and Crema had suffered a theft incident.
On July 3, 2022, Crema Finance was also attacked by hackers using Solend flash loans, and the LP fund pool was drained, with a loss of more than $8 million. Then on July 7, the hacker returned $7.6 million worth of stolen cryptocurrency after negotiation with the team. According to the negotiation agreement between the two parties, the hacker was allowed to keep 45,455 SOL ($1.65 million) as a bounty.
Looking back at the Cetus theft, the protocol also suffered losses because the attacker controlled the LP pool, and the team also proposed to negotiate with the hacker by paying the outstanding balance in the name of the white hat hacker. There is currently no public information to prove that Crema and Cetus were indeed developed by the same team, but at present, both are indeed consistent in terms of the cause of the theft and the subsequent handling method.
Sui officials freeze hacker transactions, "on-chain censorship" raises questions about centralization
According to DeFiLlama data, Cetus has been the leading DEX and liquidity gathering place in the Sui ecosystem, accounting for more than 60% of the transaction volume of the entire ecosystem. This "clearance-style" attack undoubtedly directly destroyed the liquidity center of the ecosystem. For any "second-tier public chain", this is a devastating blow.
Since March last year, the transaction volume on the Sui ecosystem chain has been on an overall upward trend, and the prices of mainstream ecosystem tokens such as CETUS, DEEP, and WAL have also been soaring. It is generally regarded by the community as the public chain with the greatest return potential in this cycle and the "next Solana."
However, what’s interesting is that according to Dune data, there have always been a large number of wash trades on the Sui chain, and the ecological liquidity toxicity has been close to 50% for a long time. This is also part of the reason why the community has reported that the Sui ecosystem "has nothing, but the price keeps rising."
Caption: The radius of the circle in the figure below shows the total transaction volume of a single address. It can be seen that the wallet with the largest transaction volume also has a high transaction frequency, indicating that there may be wash trading; Data source: Dune Analytics
However, Sui’s “strong market maker” persona has been established in the minds of traders for a long time. In the past month’s altcoin recovery, Sui was also the most outstanding one among the mainstream public chains. Faced with this major ecological theft, the foundation lived up to expectations and responded quickly, once again strengthening its “strong market maker persona”.
At around 11pm on the 22nd, Sui officially announced that in order to "protect the Sui ecosystem", a large number of Sui network validators used the stolen funds to identify the hacker's address and ignored the transactions of these addresses. The CETUS team is also actively exploring ways to recover these funds and return them to the community, and will soon release an incident report.
As soon as the news came out, the community exploded, and "public chain censorship transactions" became the biggest point of controversy. Many X users believed that Sui's response was a destruction of its decentralized positioning, turning Sui from a "public chain" into a "centralized permission database."
According to Sui official documents, transactions on the Sui network are divided into two categories: those involving only "exclusive objects" or those involving "shared objects" at the same time. Only transactions involving shared objects must enter the consensus of the entire network, while transactions involving pure exclusive objects can take the "direct fast path" and can be executed without global sorting. As long as more than 2/3 of the total staked validators in the network are honest, the network can theoretically guarantee both security (no double spending) and activity (valid transactions will eventually be executed).
Under Sui's delegated PoS + BFT design, in order to achieve continuous and indiscriminate transaction review, at least more than 1/3 of the staked voting rights must be jointly controlled. The review of a single or a few nodes can only cause temporary delays, and it is also easy to be regarded as malicious behavior and be "voted offline" by the stakers in the next epoch. This is also the "anti-censorship and openness" emphasized in the official documents. Obviously, the Sui Foundation controlled at least 1/3 of the staked voting rights of the entire network in this hacking incident.
Comparison of transaction review scenarios of Sui network consensus mechanism
The controversy over "centralized public chains" has started since the last cycle of Solana, and some community members have pointed out that "anti-censorship properties" are not the most important properties for current crypto investors. In a world where return rate is still the goal and core, perhaps "pulling the market" is justice.