Cointelegraph Bitcoin & Ethereum Blockchain News

When liquidity attracts attackers: what didn’t work on Cetus?

On May 22, 2025, the Protocol de Cetus, the main decentralized exchange (DEX) on the AU blockchain, underwent a major hack, marking one of the largest decentralized financial offenses (DEFI) in the history of cryptocurrency.

An attacker has exploited the fault of the Cetus pricing mechanism, flying about $ 260 million in digital assets. This incident had a significant impact on the SUI community, causing a drop in the AS (SUI) price of about 15% to $ 3.81 on May 29.

Cetus Dex facilitates the effective supply of chip exchanges and liquidity within the SU ecosystem. The rapid growth of the platform has made it a privileged target for attackers. According to Defilma, Cetus Dex’s commercial volume increased from 182.47 million between October 1 and 31, 2023, to 7.152 billion between January 1 and 31, 2025.

An error previously not detected in the Cetus Dex code allowed the feat, allowing the theft of millions. This event highlights the continuous challenges of ensuring solid security in ECFI ecosystems enrigues quickly, even with significant efforts to prioritize security.

Did you know? Hacks Dex can plant whole ecosystems. When the Mango markets were operated for $ 114 million in 2022, its governance token dropped by more than 50%, and confidence in the Solana Defic ecosystem was shaken for weeks.

How Cetus Dex was used: Step by step ventilation

Cetus was the victim of a calculated assault which combined price manipulation, false token injections and the whitening of Transchain.

You will find below a step by step ventilation of how the attacker has circumvented the guarantees and the liquidity pools drained using a defect in the internal pricing system of Cetus:

• Flash loan: The striker, using the 0xe28B50 portfolio address, contracted a flash loan to access immediate funds without warranty, allowing the execution of the rapid transaction.
• Insertion of fraudulent tokens: False tokens, such as Bulla, which lack authentic liquidity, have been introduced in various liquidity pools of Cetus, disturbing the prices feeding mechanism for chip exchanges.
• Distortion of the price curve: These counterfeit tokens have misleaded the internal pricing system, through reserve calculations and creating artificial price advantages for legitimate assets like SU and USDC (USDC).
• Operation of the liquidity swimming pool: By exploiting the vulnerability of prices, the attacker drained 46 pairs of liquidity, exchanging tokens without value against precious assets at manipulated and favorable rates.
• Transfer of crossed funds: A fraction of stolen assets, around 60 million dollars in USDC, was transferred to the Ethereum network, where the attacker converted them into 21,938 ether (ETH) at an average price of $ 2,658 per ETH.
• Consequences of the market: The attack caused a significant drop in the prices of tokens through the SUC ecosystem. Cetus fell by more than 40%, some tokens falling up to 99%. The total locked value (TVL) had decreased by $ 210 million on May 29, indicating the loss of reputation suffered by the DEX.

Here is a figure illustrating how the action of the attacker resulted in certain contractual reactions, leading to the siphon of funds:

Chronology of Cetus Dex feat

A coordinated feat on Cetus Dex took place over eight hours, triggering emergency closings, contract gels and a response led by the validator to block the attackers’ addresses.

Here is a chronology of the way in which Cetus Dex exploits:

• 10:30:50 UTC: The feat begins with unusual transactions.
• 10:40:00 UTC: Surveillance systems detect irregular activity in liquidity pools.
• 10:53:00 UTC: The Cetus team identifies the source of attack and warns members of the SU ecosystem.
• 10:57:47 UTC: The basic CLMM pools are closed to stop other losses.
• 11:20:00 UTC: All related intelligent contracts are disabled in the system.
• 12:50:00 UTC: Validators followed to vote to block the transactions of the attacker’s addresses; Once the votes exceed 33% of the participation, these addresses are actually frozen.
• 18:04:07 UTC: This link sends an onchain negotiation message to the attacker.
• 18:15:28 UTC: The vulnerable contract is updated and fixed, but not yet reactivated.

Why did the audits not prevented Cetus Dex exploit

Despite several intelligent contract audits and security opinions, the pirates were able to detect Cetus flaw and take advantage of it. Vulnerability resided in a mathematical library and a defective pricing mechanism, problems that have managed to pass several audits.

In his post-mortem, Cetus admitted that he was relaxed in his approach concerning vigilance, because past successes and generalized adoption of audited libraries had created a false feeling of security. The incident highlights a broader industry problem on audits, which, although essential, are not infallible.

According to the Chief Commercial Director of Blocksec, active under the name of Orlando on X, the cryptography industry spent more than a billion dollars for security audits in 2023, but more than $ 2 billion have always been stolen in various hacks and exploits. Audits can detect known risk models but often fail to anticipate new creative attack vectors. The Hack Cetus recalls that continuous surveillance, code opinions and layers of layers in layers are crucial, even for well -audited protocols.

Did you know? In 2021, the Hack Poly Network was one of the largest DEFI exploits, with more than $ 600 million stolen. Surprisingly, the pirate returned most of the funds, saying that it was just for “fun” and to expose security defects. The event triggered debates on ethics and hacking of the white hat in Defi.

Cetus Dex recovery and compensation plan

After hacking, the Cetus team suspended its intelligent contract operations to avoid other losses. Subsequently, the SUA community quickly launched a structured recovery and remuneration strategy.

On May 29, the Validators FU approved a governance vote to transfer $ 162 million to frozen assets to a multisig portfolio managed by Cetus, starting the reimbursement process of affected users. The frozen funds will be held in a trust until they can be returned to users. The vote of governance had 90.9% of voting in favor (yes), 1.5% of abstaining (committed but neutral) and 7.2% non -participant (inactive).

On May 30, Cetus Dex displayed its recovery roadmap on X:

1. Protocol upgrade: Suis Validators will implement an upgrade of the network to transfer frozen funds to the Cetus Multisig trust. The multisig is controlled by Cetus, Ottersec and the SUP Foundation as a keychain (executed on May 31).
2. Upgrading the CLMM contract: The CLMM market contract (concentrated liquidity concentrate) allowing recovery of emergency pools is completed and is currently being an external audit.
3. Data restoration: Cetus will restore historical data from the pool and calculate liquidity losses for each affected pool.
4. Active conversions and deposits: Due to many swaps executed by the attacker during the feat, many recovered assets have spread from their original forms. Cetus will carry out the necessary conversions using minimal impact strategies, aimed at avoiding major exchanges or excessive sliding and ensuring fair and efficient pool rebalancing.
5. Compensation contract: A dedicated remuneration contract is being developed and will be subject to the audit before deployment.
6. Upgrades of peripheral products: The associated modules are upgraded to ensure complete compatibility with the new CLMM contract, by supporting a fluid revival.
7. Complete restart of the protocol: The basic product functions will resume. Liquidity providers (LPS) in the affected pools will resume access to recovered liquidity, with the remaining losses covered by the remuneration contract. Unconnected pools will continue without interruption.
8. Service restoration: Cetus will become fully operational.

Cetus plans to restart the protocol in a week. Once active, the suppliers of affected liquidity will access the funds recovered, with the remaining losses covered by the remuneration system.

Did you know? Transchain bridges are frequent weaknesses in dex hacks. The attackers use them to quickly move the stolen assets through the networks, which makes recovery more complicated. The hacks involving bridges represented more than 50% of the cryptographic value stolen in 2022.

The lessons learned from the Cetus Dex Exploiting

Cetus Dex exploits has exposed critical vulnerabilities that go beyond a single protocol, offering valuable information for the wider challenge community.

While decentralized platforms continue to grow in complexity and scale, this incident highlights the key areas where the ecosystem must evolve to better protect user funds and maintain confidence:

• Risks of open source dependencies: The Hack of Cetus highlights the risks of statement on open source libraries. Although these tools accelerate development and encourage collaboration, they may contain hidden defects, as shown in the mathematical library exploited in this attack. Several audits have failed to detect this vulnerability, showing that the audits alone are insufficient.
• Need safety in layers: A robust defense strategy is essential to protect yourself from new exploits. This includes continuous monitoring of the code, real -time detection of unusual activity and automatic circuit breakers to stop suspicious transactions.
• Decentralization vs security debate: The incident highlights the importance of balancing decentralization with user safety. Validators’ actions, such as freezing and recovery of assets, were crucial to maintaining user confidence, but they raise questions about the extent of centralized control in a decentralized system.
• Call for proactive security: The hack highlights the need for adaptive safety measures in DEFI. Protocols must prioritize user protection thanks to proactive strategies that go beyond basic compliance, guaranteeing resilience against the evolution of threats.