Cetus Protocol Exploited, Resulting in the Loss of Over $223 Million in Digital Assets

The Cetus Protocol, the largest decentralized exchange and liquidity platform on the Sui blockchain, has suffered a devastating exploit resulting in the loss of

The DeFi world was rocked today by the exploit of Cetus Protocol, a leading decentralized exchange and liquidity platform on the Sui blockchain. In an attack that began on May 22, 2025, hackers stole digital assets worth more than $223 million from Cetus.

The exploit, which involved the creation of spoof tokens and the abuse of liquidity pool mechanics, is one of the most significant DeFi breaches in recent times and has triggered widespread disruption across the nascent Sui ecosystem.

It is the latest in a series of major crypto theft incidents, including the $71 million theft from the STEPN move-to-earn protocol in January 2025 and the $41 million theft from the Animoca Brands Ronin Network in November 2024.

According to reports by several blockchain analytics firms, the Cetus Protocol exploit began with the insertion of spoof tokens into the protocol’s liquidity pools.

One analysis by Chainalysis identified a key spoof token used in the attack as “BULLA.” Commencing with an initial deposit of 100,000 BULLA tokens, the hackers engaged in a series of rapid transactions to inflate the token’s value.

Cetus’s automated market maker (AMM), a core engine of the exchange, was manipulated by these actions. In the process of attempting to maintain price equilibrium, the protocol executed asset swaps that exchanged SUI and USDC tokens for BULLA at unbalanced rates.

As a result, the hackers were able to withdraw SUI and USDC tokens in disproportionately large amounts, while the liquidity providers who engaged in these trades sustained significant losses.

CoinDesk reported that the exploit also involved vulnerabilities in the pricing oracle used by Cetus. This enabled the malicious actors to distort price feeds on the platform, further aiding them in their gains and rendering internal risk mechanisms at Cetus largely ineffective.

According to reports by Behainal and email correspondence from Cetus, the exploit was premeditated and technically sophisticated. It involved several layers of vulnerabilities that were carefully prepared for and exploited over a period of several weeks.

The primary stage of the exploit is believed to have started on May 10, 2025, with the generation of the spoof tokens and their integration into Cetus’s smart contracts.

Later, on May 22, 2025, the main phase of the exploit unfolded as the hackers rapidly executed a series of transactions to manipulate the AMM and siphon off funds.

In total, the hackers executed around 300 transactions within a short time frame, which suggests that they might have been using bots or other automated tools to carry out the exploit undetected until the damage was already done.

The immediate aftermath of the breach saw a dramatic market response. CETUS, the native token of the platform, plummeted more than 40%. Other Sui-based tokens, such as LOFI and Hippo, saw losses of over 80%, and the USDC stablecoin on Sui briefly lost its peg, dipping to $0.99.

Cetus’s total value locked (TVL) also took a hit, plunging by over $200 million as investors quickly pulled out their liquidity.

The breach has also had wider implications for the nascent Sui ecosystem, raising concerns about the security of DeFi protocols on newer chains and the speed at which they are able to respond to critical vulnerabilities.

Liquidity providers on Sui rapidly withdrew their funds, exacerbating price slippage and destabilising token markets. Cross-chain bridges involving Sui assets also came under increased scrutiny as some services paused transactions to prevent potential contagion from the Cetus exploit.

In response to the crisis, Cetus Protocol has announced the complete suspension of all smart contracts and the launch of an internal investigation in collaboration with the Sui Foundation and other key stakeholders. The team is actively pursuing options for recovering the stolen funds.

According to reports by several blockchain analytics firms, the primary address involved in the exploit is 0xe28b50. This wallet is currently known to hold 12.9 million SUI tokens, valued at $54 million. A portion of the stolen funds has already been liquidated into other assets.

Cetus has also extended a $6 million bounty to the hacker, offering immunity from legal action if the stolen coins are returned. This white-hat recovery approach, though controversial, reflects the urgency and magnitude of the loss.

Going forward, Cetus will be undergoing a complete security audit and overhaul of its codebase. Its developers will be working to patch the vulnerabilities that were exploited in the attack, and third-party firms will be brought in to conduct independent reviews of the protocol’s smart contracts.

This incident is likely to spark broader reforms in how DeFi protocols approach oracle security, token whitelisting procedures, and smart contract validation.

The Sui Foundation is also expected to introduce new standards and guidelines for the purpose of preventing