Cetus Protocol, the largest DEX and liquidity hub on Sui, froze all smart-contract activity on 22 May 2025 after an oracle-pricing bug let a single wallet drain ≈ 12.99 million SUI plus other assets in just 15 minutes. As of writing, the attacker has over $220 million of onchain value across 4 wallets on SUI and Ethereum (detailed below). They also collapsed Sui-based memecoins by up to 90 %, and sent a chill through the wider DeFi market. While no contract logic was “hacked,” the Cetus Exploit proved that a faulty oracle is enough to bankrupt an otherwise-secure AMM. This deep-dive reconstructs the exploit from raw transactions, follows the attacker’s wallet hops, and places the fiasco in the broader context of oracle risk, responsible for almost two-thirds of DeFi losses according to academic research.
1 | Minute-by-Minute Breakdown
| UTC | On-chain action | Value at execution | Notes |
|---|---|---|---|
| 10 : 30 | First swap from 0xe2…8ff06 | 500 USDC → 3.25 M SUI | Oracle price ≈ 0.00015 USDC/SUI |
| 10 : 34 | Second swap | 2.99 M SUI ≈ US $11.8 M | Same manipulated rate |
| 10 : 37 | 5 M SUI bridged to 0x4b…9cd12 | — | Laundering step |
| 10 : 45 | Cetus pauses contracts | — | Discord & X announcements |
2 | What Went Wrong—Inside the Oracle Bug
Cetus uses a lightweight in-house price oracle that periodically self-samples pool reserves instead of pulling from an external aggregator. A timestamp-rollover bug let the attacker feed a block-stale reserve snapshot into the pricing routine, convincing the contract that 1 SUI ≈ 0.00015 USDC instead of the real ≈ 3.96 USDC price recorded earlier. With the price nearly 26 000 × too low, buying out the pool cost pennies.
3 | Follow the Money—Wallet & Bridge Activity
- Origin address: 0xe2…8ff06 (created hours before the attack).
- Current holdings: Over $70M in SUI wallet 1 in various memecoins. $92M of SUI in SUI wallet 2. $52M of ETH in Eth wallet 1. $8.5M in ETH wallet 2.
- Bridging: Funds routed through 0x4b…9cd12 and then into a popular Cosmos-EVM bridge, swapping to ETH.
- Current status: 0xe2…8ff06 shows outbound transfers only; no inbound calls after pause.
Lookonchain analysis confirms ≥ 32.9 M SUI flowed through the wallet network, implying the attacker has started mixing proceeds across chains.
4 | Damage Report
| Metric | Pre-exploit | Post-exploit | Δ |
|---|---|---|---|
| Cetus TVL | US $428 M (21 May) | ≈ US $34 M (paused) | – 92 % |
| CETUS price | US $0.126 | US $0.075 | – 40 % |
| BULLA, MOJO memecoins | Variable | – 85 – 90 % | Liquidity death-spiral |
| SUI CEX price | US $3.96 | US $4.00 (stable) | CEXs isolated |
5 | Community & Industry Response
- Cetus team calls the Cetus Exploit “an oracle bug, not a hack,” pledging full post-mortem and plans for a layered oracle solution.
- Security auditors PeckShield and d0rsky outline the spoof-token reserve-skew method, urging AMMs to integrate multi-source feeds (e.g., Chainlink CCIP).
- Rival ecosystems (ICP, Cardano) tout their cryptographic oracle schemes as exploit-proof.
- Academia has long warned nearly 60 % of DeFi exploits stem from oracle failures.
- Recent precedent: Term Finance lost US $1.6 M in April after an ETH oracle mis-configuration, half later recovered.
6 | Technical Lessons for Builders
- Decouple pricing from internal reserves.
- Use medianised, multi-source feeds with deviation thresholds.
- Continuous circuit-breakers: freeze only the affected pool, not the entire DEX.
- Real-time anomaly detection (TVL or reserve delta > x σ) can halt trading within seconds (CyVers).
- Mandatory upgrade path: allow emergency parameter changes without full contract redeploy.
7 | Can Sui Bounce Back?
Sui’s core value proposition (parallelised Move execution) remains intact, and centralised-exchange pricing never flinched. But DeFi mind-share is fragile; capital migrates fast. Unless the Cetus team delivers a transparent fix and a credible oracle hardening roadmap, TVL may continue bleeding to Solana, Layer-2s, or competing Sui DEXs. The coming weeks will test whether Sui’s developer community can turn a US $200M+ lesson into a security renaissance.
8 | Key Take-Aways
- Oracle design is security design. Every AMM price curve relies on truthful data; a single stale tick can vaporize liquidity.
- Layer-1 tech is not a silver bullet. Even fast block-finality (Sui) can’t save an app with unsafe external dependencies.
- Transparency matters. Rapid public updates and on-chain forensics limited contagion and kept CEX markets calm.
- Diversify defenses. Combine decentralized oracles, TWAP guards, and economic circuit-breakers.
The only acceptable answer is a rigorous, open-sourced oracle overhaul, on Sui and everywhere DeFi touches critical value.
Disclaimer: The information provided here is for educational and informational purposes only and should not be construed as financial, investment, or legal advice. Always conduct your own research and consult a qualified professional before making any investment decisions.