Cetus Reveals Exploit Root Cause, Seeks Recovery Plan

May 27, 2025 – Cetus, a major decentralized exchange (DEX) built on the Sui Network, has published a comprehensive post-mortem report following a devastating $223 million exploit that occurred on May 22. The incident, which affected the platform’s concentrated liquidity market maker (CLMM) pools, marks one of the largest DeFi exploits in 2025 to date.

The report outlines the technical cause of the breach, details the platform’s rapid response, and presents initial steps toward fund recovery and ecosystem stability.

How the Exploit Unfolded

The attacker exploited a vulnerability in an open-source code library used in Cetus’ smart contracts. Specifically, the bug was tied to the way the liquidity management system handled overflow checks using bitwise left-shift operations. The incorrect validation allowed malicious actors to input numbers beyond the acceptable range—essentially breaking the system’s internal balance logic.

Exploit Mechanism:

1. Flash Swaps were used to borrow tokens instantly within a single transaction.

2. The attacker manipulated pool prices using distorted liquidity ratios.

3. Fake liquidity was injected with minimal real tokens.

4. Repeated cycles of withdrawal were carried out to drain multiple token pools.

This method allowed the attacker to withdraw large amounts of real tokens while only briefly depositing smaller amounts to create artificial liquidity. Over several rounds, they successfully extracted over $223 million in crypto assets, primarily stablecoins and major tokens.

Speedy Detection and Emergency Action

Cetus said it identified abnormal trading behavior within 10 minutes of the attack. The team immediately paused trading across the platform and reached out to Sui validators, who played a critical role in containing the damage.

With validator cooperation:

• Approximately $162 million worth of stolen assets were frozen on the Sui network.

• About $61 million, however, was already bridged to Ethereum, where it remains beyond direct recovery for now.

This validator action, while effective, has raised decentralization concerns in parts of the community.

Root Cause Clarified: Not the MAX_U64 Bug

Addressing speculation, Cetus clarified that this attack was unrelated to the previously known MAX_U64 arithmetic bug. Instead, the breach resulted from a new left-shift overflow vulnerability not caught in prior audits.

“This issue has nothing to do with the MAX_U64 arithmetic bug flagged in previous audits,” said the Cetus team. “The root cause was a faulty left-shift overflow check that incorrectly validated values beyond safe limits.”

This admission underscores the persistent risks in open-source DeFi systems, where the use of third-party code—no matter how widely adopted—can introduce systemic vulnerabilities.

Fallout: Market Impact and Community Reaction

The exploit’s repercussions were immediate and severe:

• CETUS, the platform’s native token, plummeted 40% in value.

• Total Value Locked (TVL) on the Sui network fell from $2.13 billion to $1.92 billion.

• USDC temporarily lost its $1 peg due to liquidity disruptions.

Community reactions were mixed:

• Praised: Sui validators’ swift response in freezing funds.

• Criticized: The ability to freeze wallets raised centralization red flags.

• Cautious optimism: Users appreciated Cetus’ transparency and commitment to a recovery plan.

Recovery Plan: White Hat Bounty and Rebuild Efforts

Cetus has laid out an ambitious plan for user compensation, system re-audits, and platform rebuilding:

Key Steps:

• Smart Contract Re-Audits: The platform will conduct comprehensive re-evaluations of its codebase, including third-party dependencies.

• Monitoring and Alert Upgrades: Enhanced surveillance tools will be deployed to catch anomalies earlier in real time.

• Liquidity Recovery Fund: A joint liquidity restoration program is being initiated in partnership with ecosystem allies.

• White Hat Bounty Offer: The attacker has been offered a $6 million bounty if they return the remaining funds and abstain from legal pursuit.

This approach mirrors past responses seen in DeFi, where hackers have returned assets in exchange for immunity and financial reward—a controversial but increasingly common resolution.

Community Governance and Validator Role

In the coming days, Cetus is urging the Sui validator community to support on-chain governance proposals that will allow token redistribution to affected users. Such a move would:

• Utilize the frozen funds still on Sui.

• Establish a user recovery mechanism, potentially through snapshots and compensatory airdrops.

• Bolster trust in the Sui ecosystem’s resilience.

The community will play a central role in deciding how funds are allocated, whether penalties should apply, and what future guardrails should be set up to avoid similar events.

Broader Implications for DeFi

The Cetus exploit has sparked a renewed discussion about DeFi security, particularly around:

• Code composability risks in smart contracts.

• Flash loan and flash swap vulnerabilities.

• Validator powers and the spectrum of decentralization.

• Third-party code dependency management in open-source ecosystems.

As DeFi continues to grow in complexity and scale, incidents like these underscore the urgent need for multi-layered security, insurance mechanisms, and dynamic auditing practices.

Looking Ahead

Cetus remains committed to restoring user trust, strengthening its platform, and contributing to the evolution of secure DeFi practices. The team has pledged regular updates on:

• Progress in audits and contract revisions

• Outcomes of validator votes on recovery proposals

• Timelines for liquidity restoration programs

The final outcome will depend not just on technical fixes, but on the DeFi community’s capacity to cooperate, adapt, and learn from failure.

ALSO READ: India Considers Crypto Tax Cut Amid Policy Shift