Cetus Protocol Suffers $220M Exploit, Freezes Trading as Tokens Crash 80%

Oracle Bug Suspected as DeFi on Sui Faces Confidence Crisis

Cetus Protocol, a leading decentralized exchange on the Sui blockchain, has come under intense scrutiny after suffering a catastrophic exploit on May 22, 2025. The incident resulted in an approximately $220 million loss from its liquidity pools, crippling trading operations across the platform and triggering a near-total collapse in token prices. 

While early speculation hinted at a potential hack, growing chatter among users suggests an oracle malfunction may have been the real cause—though no official confirmation has been issued by the Cetus team.

The exploit was detected during early trading hours, prompting Cetus to immediately pause all smart contract activity. According to a public statement released via X, the team acknowledged an “incident” and assured users that an investigation was underway. 

However, the message offered no clarity on the exact nature of the breach. Conflicting reports have since emerged, with some users alleging that the issue stemmed from an oracle bug—an error in the pricing feed that smart contracts rely on for executing trades. Despite the mounting speculation, the lack of a definitive statement has left room for uncertainty, further compounding user anxiety.

Liquidity on the platform evaporated almost instantly following the exploit. Multiple pools, including those not directly targeted, saw their reserves drained or abandoned, forcing the exchange to freeze all trading functions. Cetus’s role as a core liquidity provider on Sui meant the impact reverberated across the ecosystem. 

Token prices tied to its pools plummeted by as much as 80%, sharply distorting the crypto price index and causing serious divergence in coin market cap valuations across decentralized and centralized platforms. SUI itself held relatively stable on centralized exchanges, but its price on Cetus DEX dropped drastically due to the depleted liquidity and halted swaps.

Early damage assessments painted varying pictures of the fallout. Some observers initially estimated as much as $220 million drained across all Cetus pools, though on-chain analysis later narrowed the quantifiable loss to $11 million, focusing specifically on the SUI/USDC pair. Regardless of the final figure, the shockwave sent through the coin market cap landscape was unmistakable. DeFi protocols on Sui rely heavily on Cetus for trading infrastructure, and the abrupt shutdown has sparked a wave of concern about the broader reliability of DeFi security on newer blockchains.

The exploit not only paralyzed user activity but also exposed deeper vulnerabilities in smart contract design and real-time anomaly detection—especially in environments where external data like pricing oracles feed directly into contract logic. With no confirmed resolution timeline, users have been urged to remain cautious. The team behind Cetus continues to analyze the breach, with the method of attack still undisclosed as of the latest updates.

New evidence from blockchain security firm PeckShield has revealed the full scale of the damage caused by the exploit targeting Cetus Protocol on May 22. Approximately $220 million worth of assets were drained from liquidity pools on the DEX, making it one of the most devastating DeFi breaches ever recorded on the Sui blockchain. The attack was initially cloaked in uncertainty, but has now been confirmed as an oracle manipulation exploit involving spoof tokens that tricked the protocol’s pricing mechanisms.

Cyvers Security CEO Deddy Lavid confirmed the attackers deployed counterfeit tokens to interfere with price curves and reserve calculations, fooling the protocol’s oracle system into mispricing liquidity pools. This tactic allowed the exploiters to systematically siphon real assets—including the SUI/USDC pool—before converting the stolen funds into USDC and bridging them to other chains. As of the latest blockchain tracking data, $164 million remains in the attacker’s Sui wallet, while $61.5 million in USDC has already been transferred to Ethereum. The use of stablecoin USDC was critical to their laundering strategy, enabling swift conversion and cross-chain movement.

The impact on token prices has been staggering. Native tokens across Sui’s ecosystem collapsed in response to the exploit. LOFI plunged 76%, HIPPO fell 80%, SQUIRT cratered by 97%, and CETUS dropped 53%. A total of 46 tokens suffered double-digit losses within 24 hours, undercutting the broader crypto price index for the Sui ecosystem and shaking confidence in the coin market cap valuations tied to DEX liquidity.

Behind closed doors, leaked Discord messages from Cetus developers indicate they initially suspected a bug in the oracle’s behavior. 

But as community speculation swirled, Cyvers' independent analysis confirmed this was not an internal misconfiguration, but rather a textbook oracle manipulation exploit. The use of spoof tokens to distort price feeds represents a known and preventable vector in DeFi, drawing criticism toward Cetus for its apparent lack of mitigation safeguards.

Industry observers and investigators expressed frustration at what they viewed as a slow institutional response. On-chain sleuth ZachXBT criticized USDC issuer Circle for failing to act quickly enough, referencing previous incidents in which delayed responses hindered fund recovery. Deddy Lavid echoed this sentiment, stating that repeated real-time alerts sent by Cyvers have been largely ignored by stablecoin issuers, with many opting to act only after detailed post-mortem analyses. “In this threat environment, delay is indistinguishable from inaction,” Lavid said.

Sui Network itself has remained largely silent on the exploit. When asked for comment, a network spokesperson declined to respond, instead pointing media inquiries to previously issued public posts on X. The protocol’s official stance has provided little additional insight, leaving community members searching for accountability in a fast-moving crisis.

Despite the scale of the exploit and the sharp drawdowns across DeFi tokens, the market response to the SUI token was unexpectedly positive. Within 24 hours of the breach, SUI’s price rose by 2.2%, a move that some analysts interpret as resilience, while others suggest it reflects a delayed reaction or speculative positioning.

Crypto influencers have begun weighing in, with former Binance CEO Changpeng Zhao noting, “Not a pleasant situation. Hope everyone stay SAFU!” His post fueled speculation that Binance-affiliated resources may be quietly engaged in monitoring the situation or assisting in fund recovery. 

Still, with $220 million gone and confidence shaken, the Sui DeFi ecosystem faces mounting pressure to overhaul its oracle systems, smart contract audits, and real-time risk response strategies.

New technical findings from blockchain security experts continue to expose the sophistication behind the exploit. Alex Horlan, CTO at HackenProof, detailed how the attacker used spoof tokens and strategic manipulation of the DEX’s liquidity mechanisms to withdraw assets repeatedly without supplying equivalent value. By initiating fake token pairs and altering reserve calculations through “near-zero” liquidity inputs, the attacker successfully extracted substantial amounts of SUI and USDC stablecoins.

Following the exploit, the attacker swiftly moved to convert the stolen SUI into USDC and began bridging those assets out of the Sui network. Roughly $63 million was moved to Ethereum, where laundering efforts intensified. According to monitoring tools Extractor and Lookonchain, approximately $60 million was used to acquire 20,000 ETH in a single high-value transaction. These assets were then transferred to a new Ethereum wallet address, with Ethereum’s infrastructure offering the attacker access to advanced privacy-preserving services, such as Tornado Cash and Thorchain—both known for facilitating anonymized asset flows.

Amid the fallout, coordinated action across the Sui ecosystem has managed to freeze a substantial portion of the stolen funds. The Sui Foundation confirmed that roughly $162 million of the compromised assets are now effectively immobilized. This was achieved through the participation of network validators who identified the malicious addresses and chose to reject any transaction attempts originating from them. The strategy has proven effective at halting movement, but has also reignited debate over decentralization within the Sui ecosystem.

Despite progress on recovery, the incident has sparked criticism from users and decentralization advocates. One user’s widely circulated comment questioned the integrity of the network’s censorship resistance: “Good news for the victims, but if validators — 114 only in total — can freeze wallets when they want, it raises a major question about the network’s censorship resistance. Sui is anything but decentralized.” That comment echoes broader concerns about validator governance and control in emerging Layer-1 blockchains.

The Cetus team has promised to deliver a full incident report in the coming days, which is expected to outline the timeline of the exploit, technical vulnerabilities, and steps being taken to mitigate similar risks going forward. Until then, the community continues to weigh the balance between security-driven intervention and the foundational DeFi principle of decentralization.

This article has been refined and enhanced by ChatGPT.