Cetus Hack Incident Update: Fund Recovery Enters Governance Process, Sui Officially Voices Support

The Sui ecosystem's Cetus Protocol experienced a security incident on May 22, and how to handle the frozen funds became a community focal point. On May 24, the Sui team announced support for a governance proposal by Cetus to conduct an on-chain governance vote to approve a protocol upgrade that would return the frozen funds. However, two conditions were attached to this support — the official team would forfeit its voting power, maintain neutrality, and require Cetus to commit to leveraging all financial resources to achieve full user compensation.

On May 28, the Cetus team posted an update stating they had the capability to fully reimburse the off-chain stolen assets, including a crucial loan from the Sui Foundation, contingent upon a community vote to unlock the frozen assets through a protocol upgrade.

As a result, Cetus requested to initiate a community-led vote to recover the funds frozen during last week's exploit. In response, the Sui Foundation agreed to assist in conducting a vote among Sui validation nodes, representing stakers and the broader network's interests. Sui token holders and stakers could also participate directly through staking delegation.

Cetus's proposal involves executing a protocol upgrade to recover all funds currently frozen in two hacker addresses without the need for hacker signatures. If the proposal passes, these funds will be transferred to and held in a multi-signature custody wallet until they can be returned to the accounts that previously held positions in Cetus. This fund will be held in a multi-signature-controlled wallet, governed by a 6-of-6 multisig mechanism with the participation of Cetus, the Sui Foundation, and the auditing firm OtterSec. Voting "Yes" signifies support for moving the frozen assets to this trust wallet and gradually returning them to users through a verification mechanism; voting "No" indicates rejection of such a protocol upgrade.

Regardless of the voting outcome, Cetus has stated that they will immediately commence the recovery plan post-vote, with detailed plans set to be disclosed.

At the time of writing, the CETUS token price has surged above $0.16, with a 27% increase in the last 24 hours. With positive market feedback and foundation endorsement, whether Cetus's fund recovery plan can be implemented still hinges on the upcoming Sui community vote.

The following is the version of the article at the time of its first release:

In the afternoon of May 22, Sui's on-chain DEX liquidity protocol Cetus Protocol's token CETUS suddenly experienced a significant drop in price, almost "crashing," and several token pairs on Cetus also saw sharp declines. Subsequently, many KOLs posted on X, indicating that the Cetus Protocol LP pool had been attacked by a hacker.

According to on-chain monitoring, the Cetus attacker appears to have control of all LP pools denominated in SUI, with the stolen amount exceeding $260 million at the time of writing. Currently, the hacker has started converting the funds to USDC and cross-chain transferring to the Ethereum mainnet for exchange into ETH, with approximately 60 million USDC already successfully cross-chain transferred.

The hacker's on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. The primary assets in this address are still SUI and USDT, but Sui ecosystem mainstream tokens such as CETUS, WAL, DEEP, among others, are also included, indicating the extensive scope of this hack.

On the evening of the 22nd, a member of the Cetus team stated in the project's Discord group that the Cetus protocol was not stolen but rather experienced a "Oracle Bug." However, the on-chain data does not lie. Based on statistics, the loss in the Cetus protocol's LP pool exceeded $260 million within an hour after the theft incident, surpassing the protocol's TVL ($240 million) and market cap ($180 million).

In the morning of the 23rd, Cetus officials posted the latest developments of the theft incident on social media, stating that the team has identified the root cause of the vulnerability, fixed the related software packages, and hired professional anti-cybercrime organizations to support fund tracing and negotiations for the security return. They are currently in talks with law enforcement agencies and arranging further assistance.

It is worth noting that the officials have confirmed the Ethereum wallet address controlled by the hacker of today's attack event and have negotiated with them for the return of customer funds. An offer has been made to pay the outstanding balance in the name of a white-hat hacker, but time is limited. If the hacker accepts the terms, no further legal action will be taken.

Community Perception Highlights Team's "Previous Hack"

Interestingly, amidst the Cetus-induced SUI ecosystem crash, many community members on Twitter have pointed out that Cetus, which developed with the same team behind the Solana ecosystem DeFi protocol Crema Finance, had experienced a previous hacking incident.

On July 3, 2022, Crema Finance also fell victim to a hacker exploiting a Solend flash loan attack, resulting in the depletion of the LP liquidity pool and a loss of over $8 million. Subsequently, on July 7, the hacker, after negotiating with the team, returned stolen cryptocurrency worth $7.6 million. As per the negotiated agreement, the hacker was allowed to keep 45,455 SOL (worth $1.65 million) as a bounty.

Reflecting on the Cetus hack incident, the protocol also suffered losses as the attacker controlled the LP pool. The team proposed to negotiate with the hacker under the guise of paying the outstanding balance in the name of a white-hat hacker. Currently, there is no public information confirming that Crema and Cetus are indeed developed by the same team. However, based on the stolen asset's reason and the subsequent handling approach, both projects do seem aligned.

Sui Officially Steps In to Freeze Hacker's Transactions, "On-Chain Surveillance" Raises Centralization Concerns

According to DeFiLlama data, Cetus has consistently been the leading DEX and liquidity hub in the Sui ecosystem, with its trading volume accounting for over sixty percent of the entire ecosystem. This "forced liquidation" attack undoubtedly directly disrupted the ecosystem's liquidity core. If this had happened on any other "second-tier public chain," it would have been a devastating blow.

Since March last year, the Sui ecosystem's on-chain transaction volume has been on a general upward trend. Mainstream ecosystem tokens like CETUS, DEEP, and WAL have also seen significant price appreciation, widely regarded by the community as the most promising public chain type with the highest return potential in this cycle, akin to the "next Solana."

Interestingly, according to Dune data, there has been a persistent presence of significant wash trading on the Sui chain, with ecosystem liquidity toxicity staying close to 50% for an extended period. This is one of the reasons the community perceives the Sui ecosystem as "having nothing but continuously rising prices."

Illustration: The circle radius in the graph below represents the total transaction volume of a single address, showing that even the wallet with the highest transaction volume has a very high trading frequency, indicating potential wash trading; Data Source: Dune Analytics

Nevertheless, Sui's "strong market maker" persona has long been established in the minds of traders. In the recent altcoin resurgence market, Sui has been one of the standout performers among leading public chains. Faced with this significant ecosystem theft, the foundation, as expected, promptly responded, once again reinforcing its "strong market maker" image.

At around 11 p.m. on the 22nd, the Sui team released an announcement stating that, to "protect the Sui ecosystem," a large number of Sui network validators identified the hacker's address using the stolen funds and ignored transactions involving these addresses. The CETUS team is actively exploring the recovery of these funds to return them to the community and will soon release an incident report.

Upon this news, the community erupted, with "on-chain transaction scrutiny" becoming the biggest point of contention. Many X users believe that Sui's response is a disruption of its decentralized positioning, transforming Sui from a "public chain" to a "centralized permissioned database."

According to Sui's official documentation, transactions on the Sui network are split into two categories: those involving only "exclusive objects" and those involving both "shared objects." Only transactions involving shared objects must undergo network-wide consensus, while transactions involving purely exclusive objects can take the "direct fast path" and be executed without global ordering. As long as more than 2/3 of the total staked validators in the network are honest, the network theoretically ensures both security (no double-spending) and liveness (valid transactions will eventually be executed) simultaneously.

Under Sui's Delegated PoS + BFT design, to achieve continuous, unbiased transaction scrutiny, at least a joint control of over 1/3 of the staked voting power is required. Inspection by a single node or a few nodes can only result in temporary delays and is easily seen as malicious behavior, leading to the stakeholder being "voted offline" in the next epoch, as emphasized in the official documentation for "censorship resistance and openness." Clearly, the Sui Foundation controlled at least 1/3 of the staked voting power in the entire network during this hacking incident.

The controversy over a "centralized public chain" has been ongoing since the previous Solana cycle, with community members also pointing out that the "censorship resistance" attribute is not the most critical concern for current crypto investors. In a world still focused on returns and at its core, perhaps "pumping the price" is the true justice.