Cetus Protocol Smart Contract Exploited to Drain $223M Worth of SUI Tokens

A hacker who exploited vulnerabilities in the Cetus Protocol's smart contract to drain $223 million worth of SUI tokens has already moved nearly a third of the stolen funds to Ethereum.

A hacker who exploited vulnerabilities in the Cetus Protocol’s smart contract to drain $223 million worth of SUI tokens has already moved nearly a third of the stolen funds to Ethereum.

The stolen funds were converted to USDC before being bridged to Ethereum and exchanged for ETH, according to blockchain analyst Lookonchain.

Ethereum is the only chain with large enough mixers, like Tornado Cash and Thorchain, to launder stolen funds measured in the hundreds of millions of dollars.

Extractor, an online monitoring tool developed by cybersecurity firm Hacken, posted on X that “at least $63m was already bridged to Ethereum, 20k ETH was just transferred to a fresh wallet” in a single transaction. That 20,000 ETH is worth about $53 million.

In an X post, Cetus said that the remaining $162 million of compromised funds have been paused, and they are “actively pursuing paths to recover the remainder.”

It added that “a large number of validators identified the addresses with the stolen funds and are ignoring transactions on those addresses until further notice.”

Cetus declined to comment beyond their X posts when reached by The Defiant, but promised a full incident report would be forthcoming.

Liquidity Pools Drained

As the largest decentralized exchange on Sui, the loss of Cetus’ liquidity has reverberated across the Sui ecosystem, with many memecoins down by as much as 90%. DexScreener shows SQUIRT is down 92% and HIPPO is down 80%, and several dozen are down at least double digits. Cetus’s own CETUS token is down 42%.

Remarkably, the SUI token is flat on the day at $3.88 despite the exploit.

According to an X post, Cetus insiders said in the project’s Discord channel that there was a bug in the oracle.

Blockchain security firm Cyvers also said on X that the “initial reports show that it seems to be an oracle issue.”

Alex Horkan, CTO of Web3 bug bounty platform, said in an X post that the likely path of the exploiter was to swap in a spoof token, “taking advantage of miscalculated price curve or broken reserve math.”

They then added liquidity in “near-zero” amounts to manipulate the internal liquidity provider state or initialize a fake pair, and then repeatedly remove liquidity, exploiting a mismatch in accounting to drain SUI and USDC stablecoins without providing any assets back in return.

This is the latest in a series of exploits this year, led by the $1.5 billion ByBit hack in February, the largest hack on record.