On May 22, the Sui Ecosystem decentralized trading protocol Cetus suffered a major security incident, with some of the fund pool assets stolen and some of the funds frozen in the attackers address. After the incident, how to deal with the frozen funds became the focus of the community.
After Cetus submitted a protocol upgrade proposal and received widespread response from the community, Sui officially issued a statement on May 24, expressing support for the return of frozen assets through on-chain governance, and put forward two preconditions: the Sui team will give up voting rights and remain neutral, and require Cetus to commit to mobilizing all financial resources to ensure that users receive full compensation.
On May 28, Cetus officially announced that it had obtained key financial support including from the Sui Foundation, and had the ability to make up for the gap in stolen funds off-chain, provided that the protocol upgrade proposal was successfully passed and the frozen assets were unlocked.
Subsequently, Cetus initiated a community-led on-chain vote, proposing a conditional protocol upgrade operation to transfer the assets locked in the two attacker addresses to a multi-signature wallet jointly managed by Cetus, Sui Foundation and OtterSec without the need for hacker signatures, and ultimately used for user compensation. Sui Foundation assisted in promoting the Sui validator network to complete this vote and participate in governance on behalf of the interests of its stakers.
The specific details of the protocol upgrade are as follows: a specific address will be allowed to act on behalf of two hacker addresses in only two predefined transactions (one transaction for each address). That is, we will specify two (hacker_address, aliased_address, TransactionDigest) tuples. For each tuple, the aliased_address is only allowed to play the role of the hacker_address in a specific transaction. This mechanism only applies to these two recovery transactions and cannot be used for any other purpose. After the recovery address is finalized, the two transactions will be constructed and announced.
Finally, the proposal was passed ahead of schedule at 4:00 am Beijing time on May 30, with more than 90% of validators and stakers voting in favor. This marked the entry of the Cetus recovery plan into the implementation phase. The Cetus team said it would restart the protocol function within a week.
The main tasks include:
1. Protocol upgrade: Sui validators will implement the protocol upgrade and transfer the frozen funds to the Cetus multi-signature escrow account (the private key is jointly held by Cetus, OtterSec and Sui Foundation).
2. CLMM contract upgrade: The upgrade to support emergency fund pool recovery has been completed and is currently in the audit stage.
3. Data recovery: We will restore all fund pool data and calculate the liquidity loss for each attacked fund pool.
4. Asset conversion and recharge: Since the attacker performed a large number of exchange operations during the incident, the recovered assets are very different from the original form. We will use Cetuss active judgment method to make necessary asset conversions based on the principle of minimum impact, avoid large-scale transactions or excessive slippage, and ensure that the capital pool is rebalanced efficiently and fairly.
5. Compensation Contract: A dedicated compensation contract is under development and will pass a third-party audit before going online.
6. Upgrade of relevant product modules: We are upgrading peripheral product modules to ensure their full compatibility with the new CLMM contracts and ensure a smooth restart process.
7. Full restart of the protocol: All core product functions will be restored. LPs of the affected pools will regain their recovered liquidity, and the remaining losses can be claimed through the compensation contract. Unaffected pools will continue to operate normally.
8. Cetus is fully back online.
The following is the version of this article when it was first published:
On the afternoon of May 22, the token CETUS of the leading DEX liquidity protocol Cetus Protocol on Sui Chain suddenly fell sharply, and the price almost dropped, and multiple token trading pairs on Cetus also experienced a sharp decline. Subsequently, many KOLs posted on X that the Cetus protocol LP pool was attacked by hackers.
According to on-chain monitoring, the Cetus attacker appears to have controlled all LP pools denominated in SUI, and as of the time of writing, the amount of theft has exceeded $260 million. Currently, the hacker has begun to convert funds into USDC and cross-chain to the Ethereum mainnet to exchange for ETH. About 60 million USDC has completed cross-chain transfers.
The hackers on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. Currently, the main assets in this address are still SUI and USDT, but mainstream Sui ecological tokens such as CETUS, WAL, and DEEP are also included, which shows that the scope of this hacker attack is extremely wide.
On the evening of the 22nd, a member of the Cetus team said in the project Discord group chat that the Cetus protocol was not stolen, but a oracle bug appeared. But the on-chain data does not lie. According to statistics, the loss of the Cetus protocol LP pool exceeded US$260 million within 1 hour after the theft, exceeding the protocol TVL (US$240 million) and market value (US$180 million).
On the morning of the 23rd, Cetus officially released the latest progress of the theft on social media, saying that the team has found the root cause of the vulnerability and fixed the relevant software packages, and hired a professional anti-cybercrime organization to support our fund tracking and negotiations on the safe return of funds. We are currently negotiating with law enforcement agencies and arranging further assistance.
It is worth noting that the official said that it has confirmed the Ethereum wallet address controlled by the hacker in the attack earlier today, and has negotiated with him on the return of customer funds. It has been proposed to pay the outstanding balance in the name of the white hat hacker, but the time is limited. If the hacker accepts the terms, no further legal action will be taken.
Community opinion points out that the team has a history of theft
Interestingly, when Cetus caused the SUI ecosystem to plummet, many community members also pointed out on Twitter that Cetus and the previous Solana ecosystem DeFi protocol Crema Finance were developed by the same team, and Crema had suffered a theft incident.
On July 3, 2022, Crema Finance was also attacked by hackers using Solend flash loans, and the LP fund pool was drained, with a loss of more than $8 million. Then on July 7, the hacker returned $7.6 million worth of stolen cryptocurrency after negotiation with the team. According to the negotiation agreement between the two parties, the hacker was allowed to keep 45,455 SOL ($1.65 million) as a bounty.
Looking back at the Cetus theft, the protocol also suffered losses because the attacker controlled the LP pool, and the team also proposed to negotiate with the hacker by paying the outstanding balance in the name of the white hat hacker. There is currently no public information to prove that Crema and Cetus were indeed developed by the same team, but at present, both are indeed consistent in terms of the cause of the theft and the subsequent handling method.
Sui officials freeze hacker transactions, on-chain censorship raises questions about centralization
According to DeFiLlama data, Cetus has been the leading DEX and liquidity gathering place in the Sui ecosystem, accounting for more than 60% of the transaction volume of the entire ecosystem. This clearance-style attack undoubtedly directly destroyed the liquidity center of the ecosystem. For any second-tier public chain, this is a devastating blow.
Since March last year, the transaction volume on the Sui ecosystem chain has been on an overall upward trend, and the prices of mainstream ecosystem tokens such as CETUS, DEEP, and WAL have also been soaring. It is generally regarded by the community as the public chain with the greatest return potential in this cycle and the next Solana.
However, what’s interesting is that according to Dune data, there have always been a large number of wash trades on the Sui chain, and the ecological liquidity toxicity has been close to 50% for a long time. This is also part of the reason why the community has reported that the Sui ecosystem has nothing, but the price keeps rising.
Caption: The radius of the circle in the figure below shows the total transaction volume of a single address. It can be seen that the wallet with the largest transaction volume also has a high transaction frequency, indicating that there may be wash trading; Data source: Dune Analytics
However, Sui’s “strong market maker” persona has been established in the minds of traders for a long time. In the past month’s altcoin recovery, Sui was also the most outstanding one among the mainstream public chains. Faced with this major ecological theft, the foundation lived up to expectations and responded quickly, once again strengthening its “strong market maker persona”.
At around 11pm on the 22nd, Sui officially announced that in order to protect the Sui ecosystem, a large number of Sui network validators used the stolen funds to identify the hackers address and ignored the transactions of these addresses. The CETUS team is also actively exploring ways to recover these funds and return them to the community, and will soon release an incident report.
As soon as the news came out, the community exploded, and public chain censorship transactions became the biggest point of controversy. Many X users believed that Suis response was a destruction of its decentralized positioning, turning Sui from a public chain into a centralized permission database.
According to Sui official documents, transactions on the Sui network are divided into two categories: those involving only exclusive objects or those involving shared objects at the same time. Only transactions involving shared objects must enter the consensus of the entire network, while transactions involving pure exclusive objects can take the direct fast path and can be executed without global sorting. As long as more than 2/3 of the total staked validators in the network are honest, the network can theoretically guarantee both security (no double spending) and activity (valid transactions will eventually be executed).
Under Suis delegated PoS + BFT design, in order to achieve continuous and indiscriminate transaction review, at least more than 1/3 of the staked voting rights must be jointly controlled. The review of a single or a few nodes can only cause temporary delays, and it is also easy to be regarded as malicious behavior and be voted offline by the stakers in the next epoch. This is also the anti-censorship and openness emphasized in the official documents. Obviously, the Sui Foundation controlled at least 1/3 of the staked voting rights of the entire network in this hacking incident.
The controversy over centralized public chains has started since the last cycle of Solana, and some community members have pointed out that anti-censorship properties are not the most important properties for current crypto investors. In a world where return rate is still the goal and core, perhaps pulling the market is justice.
