CETUS协议智能合约利用耗费2.23亿美元的SUI令牌

在CETUS协议的智能合约中利用漏洞的黑客漏掉了价值2.23亿美元的SUI代币，已经将被盗资金的近三分之一转移到以太坊。

A hacker who exploited vulnerabilities in the Cetus Protocol’s smart contract to drain $223 million worth of SUI tokens has already moved nearly a third of the stolen funds to Ethereum.

在CETUS协议的智能合约中利用漏洞的黑客漏掉了价值2.23亿美元的SUI代币，已经将被盗资金的近三分之一转移到以太坊。

The stolen funds were converted to USDC before being bridged to Ethereum and exchanged for ETH, according to blockchain analyst Lookonchain.

据区块链分析师Lookonchain称，被盗资金在被桥接到以太坊之前已转换为USDC。

Ethereum is the only chain with large enough mixers, like Tornado Cash and Thorchain, to launder stolen funds measured in the hundreds of millions of dollars.

以太坊是唯一拥有足够大的搅拌机的连锁店，例如龙卷风现金和索氏（Thorchain），可以洗钱以数亿美元的数亿美元衡量。

Extractor, an online monitoring tool developed by cybersecurity firm Hacken, posted on X that “at least $63m was already bridged to Ethereum, 20k ETH was just transferred to a fresh wallet” in a single transaction. That 20,000 ETH is worth about $53 million.

Extractor是由网络安全公司Hacken开发的在线监视工具，该工具在X上发布，“至少有6300万美元已被桥接到以太坊，只有20K ETH刚刚转移到新的钱包中”。那20,000 ETH的价值约为5300万美元。

In an X post, Cetus said that the remaining $162 million of compromised funds have been paused, and they are “actively pursuing paths to recover the remainder.”

Cetus在X帖子中说，剩下的1.62亿美元的折衷资金已暂停，他们正在“积极采取途径来追回其余的途径”。

It added that “a large number of validators identified the addresses with the stolen funds and are ignoring transactions on those addresses until further notice.”

它补充说：“大量验证者用被盗的资金确定了地址，并忽略了这些地址的交易，直到另行通知。”

Cetus declined to comment beyond their X posts when reached by The Defiant, but promised a full incident report would be forthcoming.

Cetus拒绝在挑衅时拒绝评论其X帖子，但承诺将要发表完整的事件报告。

Liquidity Pools Drained

流动性池耗尽

As the largest decentralized exchange on Sui, the loss of Cetus’ liquidity has reverberated across the Sui ecosystem, with many memecoins down by as much as 90%. DexScreener shows SQUIRT is down 92% and HIPPO is down 80%, and several dozen are down at least double digits. Cetus’s own CETUS token is down 42%.

作为SUI上最大的分散交流，CETUS流动性的损失在SUI生态系统中回荡，许多纪念因素下降了多达90％。 Dexscreener显示Squirt下降了92％，河马下降了80％，并且几十个下降至少两位数。 Cetus自己的CETUS代币下降了42％。

Remarkably, the SUI token is flat on the day at $3.88 despite the exploit.

值得注意的是，尽管有利用，Sui代币当天持平，售价为3.88美元。

According to an X post, Cetus insiders said in the project’s Discord channel that there was a bug in the oracle.

根据X帖子的说法，Cetus内部人员在项目的Discord渠道中说，Oracle有一个错误。

Blockchain security firm Cyvers also said on X that the “initial reports show that it seems to be an oracle issue.”

区块链安全公司Cyvers还在X上表示：“初始报告表明这似乎是甲骨文问题。”

Alex Horkan, CTO of Web3 bug bounty platform, said in an X post that the likely path of the exploiter was to swap in a spoof token, “taking advantage of miscalculated price curve or broken reserve math.”

Web3 Bounty Platform的首席技术官Alex Horkan在X帖子中说，剥削者的可能道路是交换一个欺骗令牌，“利用了错误计算的价格曲线或储备金损坏的优势。”

They then added liquidity in “near-zero” amounts to manipulate the internal liquidity provider state or initialize a fake pair, and then repeatedly remove liquidity, exploiting a mismatch in accounting to drain SUI and USDC stablecoins without providing any assets back in return.

然后，他们添加了“接近零”的流动性，量构成内部流动性提供商状态或初始化伪造对，然后反复删除流动性，从而在会计中利用不匹配以耗尽SUI和USDC Stablecoins，而无需提供任何资产。

This is the latest in a series of exploits this year, led by the $1.5 billion ByBit hack in February, the largest hack on record.

这是今年一系列漏洞的最新功能，由2月份的15亿美元bybit hack领导，这是有记录以来最大的黑客攻击。