Another nine-figure exploit just rattled DeFi out of its comfort zone.
On May 22, an attacker drained $223 million from Cetus Protocol, the flagship decentralised exchange on the up-and-coming Sui blockchain. The weapon of choice was not a sophisticated zero day exploit, but a rounding error in a widely used math library that every auditor missed.
SecurityWeek confirmed the scale of the breach within hours, and blockchain analysts began tracing the funds across Sui and Ethereum. Cetus is back online less than three weeks later, with its liquidity pools largely refilled and a $5 million bounty levied at the thief's head.
The speed of the turnaround impressed many users, yet it also reignited an old debate about whether validator intervention undermines the ideals of censorship resistance. The incident spotlights three fault lines already widening across DeFi: Vulnerable third-party libraries, validator majorities that can rewrite history, and the absence of real-time circuit breakers to halt flash-loan loops before they drain whole pools.
A rounding error worth $223 million
Before diving in here, it helps to see how an eight-line bug can vaporize nine figures in minutes.
In a nutshell, the exploit hinged on a flaw in the open-source integer-mate library that Cetus called whenever it priced liquidity positions. By feeding spoofed tokens into a tick range of 300,000 to 300,200 and looping a flash-loan-funded cycle, the attacker forced the contract to misprice deposits and withdraw far more than was required.
Although Cetus is written in Move, a language that enforces memory-safety and aborts on most arithmetic overflows, the exploit hinged on a buggy checked_shlw helper that was supposed to detect left-shift overflows. Because the mask inside that function was wrong, the shift wrapped silently, letting a logical error slip past the compiler’s safeguards.
The table below sets out the critical moments that shaped the cetus hack, condensing three weeks of crisis management to five high-pressure checkpoints:
The table also hints at the strengths of the unique governance structure of Sui, where validators can and will act quickly when the economic stakes rise. The ability of validators to act so cohesively, however, is inherently at odds with those who would prefer a more decentralized approach to the chain's governance.
Governance issues aside, the takeaway for engineers is very clear; code correctness is broader than buffer safety.
Collateral damage across Sui
After the hack, market fallout arrived within hours.
The total value locked (TVL) on Sui shrank from $2.13 billion to $1.92 billion dollars. The SUI token then dipped below $4 dollars and stayed range-bound for two weeks. Although the funding freeze averted a full liquidity spiral, some traders argued that hard forks and fund seizures contradict the code-is-law ethos that once attracted them to decentralized finance (DeFi).
From a security vantage point, Cetus joins the grim leaderboard of top DeFi exploits.
Flash loans, logic errors and unchecked libraries helped attackers steal more than $12 billion dollars over three years. Off-chain account compromises drove 80.5% of 2024 losses, proving that code audits alone cannot solve the problem.
Rebooting Cetus in seventeen days
Cetus and the Sui Foundation moved fast once the dust settled.
Validators controlling a 91% stake approved an on-chain proposal to release the frozen $162 million back to liquidity pools. To fill the remaining gap, the protocol secured a $30 million USDC loan from the Sui Foundation, tapped its treasury and accepted community donations. In similar situations on other chains, chain governors have also been able to tap emergency loans from major exchanges like Binance, though that didn't happen in this case.
17 days after the hack, Cetus brought its front end back online. CoinDesk reported that most pools were between 85% and 95% of their pre-hack depth, and trading volumes recovered to 66% of historic norms within 48 hours. The team published a post-mortem and hired two additional auditors to review every dependency, including integer-mate.
It's difficult to overstate the remarkable snapback recovery here. If the same hack had happened just a few years ago, like during the 2022 bear market, it is overwhelmingly likely that both Cetus and Sui would have fallen into disarray and never recovered, or perhaps recovering only after years of thankless struggle.
Moving forward, however, investors probably can't count on the chain they're invested in to experience the same relatively sunny outcome after a major hack, even if the community rallies. Most of the time, there's no guarantee of having emergency financing to tap, and it's important to note that validators and holders working in conjunction smoothly under crisis conditions is an exceptional result, not one to rely on in your contingency planning.
Cetus hack security lessons for the next cycle
Risk managers like to say that every exploit is a free penetration test for the entire industry. That holds true here as well.
Thus, the Cetus hack offers four unignorable insights::
Third-party libraries are an attack surface. Any audit that ignores dependencies is incomplete.
Real-time circuit breakers matter. Validators froze $162 million because the network supported rapid governance action.
Security is social as much as technical. The rapid hard fork succeeded because 91% percent of the holders of staked value agreed on a single narrative, then implemented it without cracks.
Audits of smart contracts are necessary but not sufficient. Studies on the voluntary audit market show that many contracts still ship with critical vulnerabilities.
This list also highlights a core tension; validators saved users hundreds of millions of dollars, yet every centrally coordinated rescue chips away at the promise of unstoppable code. It's difficult to ask users to trust the chain stewardship of a centralized set of validators immediately after their security chops have been blatantly exposed as being inadequate.
It worked in this scenario, and there wasn't any user revolt. But would it work twice on the same chain?
It's almost impossible to believe that it would. History suggests that investors tolerate interventions when the sums are large enough, but the long-term effect of those interventions on valuations remains an open question. Similarly, while governance might be lauded for acting quickly in a crisis, it's an open question of whether investors and users are willing to punish habitually unprepared chain governors by moving their capital elsewhere.
What builders and investors should do now
Developers cannot eliminate risk, but they can push the probability of catastrophic failure toward zero. Investors likewise can refine their filters and avoid protocols living on borrowed time.
For builders, five checkpoints reduce attack surface:
Audit every dependency after each upgrade.
Integrate automated fuzzing and property testing in continuous-integration pipelines.
Add on-chain circuit breakers that pause pools when slippage exceeds set thresholds; this could also be viewed as a quality of life feature.
Incentivize white hats with tiered bounties that scale with total value locked.
Publish clear governance playbooks so validators know exactly when and how to intervene.
At the same time, investors can match that discipline on their side:
Track audit histories and verify that reports cover external libraries.
Monitor treasury coverage relative to total value locked and daily volumes.
Favor protocols with transparent emergency procedures and well-documented roles.
Use position sizing to cap exposure to any single chain-level risk. Cap position sizes for alts to be significantly lower than for majors.
A growing set of security vendors claims that artificial intelligence will soon automate many of these steps.
Machine learning can triage bytecode vulnerabilities at scale, but even the most advanced scanners remain blind to governance gaps. Humans need to stay in the loop for now.
Remember, one of the greatest enemies of progress is amnesia. If the playbook worked for the Cetus hack, other projects may become complacent, expecting validators to ride to the rescue. That complacency will attract the next attacker.
The bigger picture
Sui managed the Cetus hack so effectively because its ecosystem still enjoys the cohesive culture of a young chain.
Ethereum no longer has that unity and therefore cannot realistically repeat a DAO-style rollback. On the other hand, centralized chains like XRP will have absolutely no problem. If Sui grows into a global settlement layer, its current governance may prove impossible to sustain.
Investors should internalize one uncomfortable truth. Absolute decentralization and rapid incident response cannot coexist at scale. Pick the tradeoff you can live with and size portfolios accordingly.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
