CETUS協議黑客擦除2.6億美元的最新SUI利用

5月22日，CETUS協議（CETUS）是SUI（SUI）區塊鏈上的主要分散交易所和流動性提供商，經歷了重大的安全漏洞。

Major decentralized exchange and liquidity provider Cetus Protocol (CETUS) on the Sui (SUI) blockchain was breached, and an exploit quickly unfolded, draining an estimated $223 million and immediately disrupting DeFi activity.

SUI（SUI）區塊鏈上的主要分散交易和流動性提供商CETUS協議（CETUS）被違反，並迅速展開了漏洞，估計耗資2.23億美元，並立即破壞了Defi活動。

The exploit began at 3:52 AM PT (11:52 UTC on May 22) with irregular movements in the SUI/USDC liquidity pool, initially reported as a $11 million outflow.

漏洞利用始於PT的3:52 AM（UTC 11:52 UTC），SUI/USDC流動性池中的運動不規則，最初據報導為1100萬美元的流出。

However, further analysis revealed that the exploit spanned across several pools and may have resulted in a total loss of around $260 million.

但是，進一步的分析表明，這種利用在幾個池上跨越，可能導致總損失約為2.6億美元。

The incident unfolded as Cetus, launched in 2023, had become a primary exchange and liquidity provider on the Sui chain, facilitating token swaps and yield farming for more than 62,000 active users. The protocol also generated over $7.15 million in daily trading fees.

該事件於2023年推出，該事件已於CETUS展開，已成為SUI連鎖店的主要交易所和流動性提供商，促進了代幣掉期，並為超過62,000名活躍用戶提供了耕作。該協議還產生了超過715萬美元的每日交易費用。

SUI, the native token of the Sui blockchain, fell sharply from $4.19 to $3.62 by the time of writing on May 23, marking a nearly 14% drop within a day.

SUI是SUI區塊鏈的本地令牌，到5月23日寫作時，Sui從4.19美元下降到3.62美元，在一天之內下降了近14％。

CETUS, the native token of the affected protocol, declined from $0.26 to $0.15 during the immediate aftermath of the breach. Its current price of $0.17 indicates only a partial recovery.

受影響協議的本地令牌Cetus在違規後立即下降到0.26美元至0.15美元。其目前的價格為0.17美元，僅表示部分恢復。

Tokens across the wider ecosystem reacted with similar volatility. Memecoins native to Sui, including LOFI, HIPPO, SQUIRT, SLOVE, and MEMEFI, experienced losses ranging from 51% to 97%. Although prices have since stabilized, investor confidence remains low.

整個更廣泛的生態系統的令牌與相似的波動率反應。 SUI本地人的Memecoins，包括LOFI，河馬，Squirt，Slove和Memefi，經歷了51％至97％的損失。儘管價格穩定下來，但投資者的信心仍然很低。

Among the top 15 assets listed on Cetus, more than 75% of the total value was erased. Some tokens, such as LBTC and AXOLcoin, saw their prices collapse to nearly zero.

在CETUS上列出的前15個資產中，刪除了總價值的75％以上。有些令牌，例如LBTC和Axolcoin，它們的價格下跌了幾乎為零。

The broader impact went beyond token prices, with Sui’s total value locked dropping from $2.13 billion to $1.92 billion by the time of writing, highlighting a contraction over a matter of hours.

更廣泛的影響力超出了代幣的價格，SUI的總價值從21.3億美元下降到寫作時的19.2億美元，突出了幾個小時內收縮。

Let’s delve into how the exploit was carried out, what structural flaws it exposed, and how the community is preparing its response.

讓我們深入研究如何進行利用，其暴露的結構缺陷以及社區如何準備其反應。

Sui hacker triggers liquidity drain on Cetus Protocol

SUI Hacker觸發CETUS協議上的流動性耗盡

SUI Hacker觸發CETUS協議上的流動性耗盡

The incident began with a vulnerability in the smart contract system underpinning Cetus’s pricing mechanism.

該事件始於CETUS的定價機制的智能合同系統中的脆弱性。

At the heart of the issue was the protocol’s oracle, designed to provide real-time price data to the platform for enabling fair trading across token pairs. In this case, the oracle served as the entry point for the exploit.

該問題的核心是協議的甲骨文，旨在向平台提供實時價格數據，以使跨令牌對實現公平交易。在這種情況下，甲骨文作為漏洞的入口點。

The wallet address involved, identified as “0xe28b50,” deployed spoof tokens such as BULLA to manipulate pricing curves and disrupt reserve balances.

涉及的錢包地址（被確定為“ 0xe28b50”）部署了欺騙令牌，例如Bulla，以操縱定價曲線並破壞儲備金的餘額。

Despite these tokens having minimal real liquidity, they were used to skew internal pool metrics, making valuable assets like SUI and USDC appear undercollateralized. This destabilization of the pricing logic allowed the attacker to extract real tokens from the pools without providing proportional value.

儘管這些代幣具有最小的真實流動性，但它們仍用於偏向內部池指標，使SUI和USDC等有價值的資產看起來不足。定價邏輯的這種不穩定使攻擊者能夠從池中提取實際令牌而不提供比例值。

On-chain analysts observed the attacker transferring around $63 million in USDC from Sui to Ethereum (ETH) in the hours following the exploit.

鏈上分析師觀察到攻擊者在利用後的幾個小時內將大約6300萬美元的USDC從SUI轉移到以太坊（ETH）。

Conversion data showed that $58.3 million was swapped for 21,938 ETH at an average rate of $2,658 per coin. The pace of execution, estimated at approximately $1 million per minute, indicated a coordinated and pre-planned operation.

轉換數據表明，每枚硬幣的平均價格為21,938美元，將5830萬美元交換為21,938 ETH。執行步伐估計為每分鐘約100萬美元，表明進行了協調和預先計劃的操作。

Cetus initially described the issue as an “oracle bug,” a term that drew immediate criticism from developers and security experts due to the scale and precision of the exploit.

Cetus最初將該問題描述為“ Oracle Bug”，該術語由於漏洞的規模和精度而引起了開發人員和安全專家的立即批評。

The incident began with an anomaly in the SUI/USDC liquidity pool on Cetus, as reported by blockchain monitor TokenInsight.

正如區塊鏈顯示器TokenInSight報導的那樣，該事件始於CETUS上SUI/USDC流動性池的異常。

At 3:52 AM PT (11:52 UTC), there was a sudden surge in activity, with an abnormal liquidity addition of 10,000 SUI and 3,000,000 USDC.

PT上午3:52（UTC 11:52），活動突然激增，流動性異常增加了10,000 SUI和3,000,000 USDC。

Almost simultaneously, an equal amount of SUI was removed from the pool, along with 2,999,969 USDC, resulting in a net loss of 31 USDC for the pool.

幾乎同時，從游泳池中刪除了相等數量的SUI，以及2,999,969美元的USDC，導致池淨損失31 USDC。

This transaction was executed by an address that had previously engaged in minimal activity on the chain, starting in March 2023. Prior to the exploit, the wallet held only a small amount of SUI, valued at less than $10.

這項交易是由以前從2023年3月開始在鏈條上從事最少活動的地址執行的。在剝削之前，錢包只持有少量SUI，價值不到10美元。

The incident occurred shortly after Cetus announced a new partnership with blockchain cybersecurity firm Haechi Labs to enhance security measures.

該事件發生在Cetus宣布與區塊鍊網絡安全公司Haechi Labs建立新的合作夥伴關係以增強安全措施後不久。

Following the exploit, the administrative team at Cetus announced the suspension of smart contract operations on May 22 at 4:00 AM PT to prevent further outflows from the protocol.

在漏洞利用之後，CETUS的行政團隊於5月22日下午4:00宣布暫停智能合同操作，以防止該協議的進一步流出。

A public statement was posted on the project’s official X account, acknowledging the incident and pledging a full investigation. No

該項目的官方X帳戶發布了公開聲明，承認該事件並保證進行全面調查。不