By Ethan 
In May 2025, the decentralized finance (DeFi) world was rocked by a massive smart contract breach that saw $223 million in crypto assets stolen from Cetus Protocol, a leading decentralized exchange (DEX) on the Sui blockchain. The attack, which exploited a critical vulnerability in the protocol’s liquidity pool smart contracts, underscores the growing sophistication of cybercriminals targeting blockchain vulnerabilities. This article dissects the mechanics of the Cetus Protocol hack, examines its implications, and offers actionable insights for securing DeFi platforms against future attacks.
On May 22, 2025, Cetus Protocol, a cornerstone of the Sui blockchain’s DeFi ecosystem, suffered a smart contract breach that drained approximately $223 million in digital assets, including SUI and USDC tokens. According to a post-mortem report by blockchain security firm Dedaub, the attackers exploited an arithmetic overflow flaw in the protocol’s Concentrated Liquidity Market Maker (CLMM) model, specifically within the checked_shlw function of a shared math library Dedaub Post-Mortem Analysis.
The vulnerability allowed attackers to manipulate liquidity calculations by depositing spoof tokens—fake assets like BULLA with no real economic value—into Cetus’s liquidity pools. By exploiting a flaw in the pricing mechanism, the attackers distorted pool balances, enabling them to withdraw substantial amounts of legitimate tokens at manipulated rates. The attack began with a flash loan, followed by a series of swaps and liquidity additions, ultimately siphoning $223 million across 46 liquidity pairs Cointelegraph.
The smart contract breach centered on a mathematical error in the checked_shlw function, which was intended to prevent overflows during liquidity calculations. According to Halborn, the function incorrectly compared values against an invalid threshold, allowing attackers to bypass overflow checks Halborn. By using a minimal input of one spoof token, the attacker tricked the system into registering an astronomically large liquidity position, enabling them to drain valuable assets like SUI and USDC.
The attackers further amplified the exploit by leveraging flash swaps and cross-chain transfers. Blockchain analytics firm Elliptic reported that approximately $60 million in stolen USDC was bridged to Ethereum and converted to 21,938 ETH Elliptic. This cross-chain movement highlights the complexity of modern crypto heists, where attackers exploit interoperability between blockchains to obscure their tracks.
Cetus Protocol acted swiftly, pausing its smart contracts within hours of detecting the breach to prevent further losses. The team, in collaboration with the Sui Foundation and network validators, froze $162 million of the stolen assets on the Sui blockchain, leaving roughly $61 million unrecovered Cetus Protocol on X. Cetus also offered the attacker a $6 million “whitehat settlement” to return the remaining funds, though negotiations are ongoing Crypto.news.
The Sui community approved a recovery plan, with 15% of CETUS’s token supply allocated to reimburse affected users. By June 8, 2025, Cetus relaunched its platform, restoring 85–99% of liquidity in impacted pools, bolstered by a $30 million loan from the Sui Foundation Cointelegraph. Despite these efforts, the hack triggered a 40% drop in CETUS’s token price and a 15% decline in SUI, shaking confidence in the Sui ecosystem.
The Cetus smart contract breach is part of a broader surge in crypto heists, with over $2 billion stolen from DeFi platforms in 2024 alone, according to Chainalysis The Record. Smart contract vulnerabilities, particularly in newer blockchains like Sui, are increasingly attractive to cybercriminals due to their complexity and rapid adoption. The Cetus hack exposed several structural flaws:
Inadequate Input Validation: The lack of robust checks for token legitimacy allowed spoof tokens to manipulate pricing mechanisms.
Oracle Manipulation: Cetus’s internal oracle, designed to reduce reliance on external data, failed to account for malicious inputs, enabling price curve distortions.
Audit Oversights: Despite multiple audits, the overflow flaw went undetected, highlighting limitations in current auditing practices.
These issues are not unique to Cetus. Similar vulnerabilities have plagued other DeFi protocols, such as the $190 million Nomad Bridge hack in 2024, emphasizing the need for more rigorous security standards Crypto.news.
Cetus’s reliance on audited open-source libraries created a false sense of security, a common pitfall in DeFi. Blockchain security firm BlockSec notes that the crypto industry spent over $1 billion on audits in 2023, yet losses from hacks exceeded $2 billion Cointelegraph. The Cetus incident, flagged by Ottersec in an earlier 2023 audit but left unaddressed, underscores that audits alone are insufficient without continuous monitoring and stress testing.
The smart contract breach at Cetus offers critical lessons for DeFi developers and users:
Validate All Inputs: Implement strict token validation to prevent spoof tokens from entering liquidity pools. Developers should enforce price deviation caps and circuit breakers to halt anomalous transactions.
Enhance Oracle Security: Use decentralized oracles like Chainlink or integrate multiple data sources to mitigate manipulation risks.
Conduct Economic Stress Tests: Simulate edge cases and adversarial scenarios to identify weaknesses in economic logic, as recommended by Genfinity.
Prioritize Real-Time Monitoring: Deploy systems to detect and respond to unusual transaction patterns immediately.
Expand Bug Bounties: Offer substantial rewards to whitehat hackers for identifying vulnerabilities before malicious actors exploit them.
For users, the hack highlights the importance of due diligence. Researching a protocol’s audit history, using hardware wallets, and diversifying investments across platforms can reduce exposure to such risks. Just as phishing scams continue to compromise user credentials in traditional sectors like the DMV, DeFi users are increasingly targeted through deceptive airdrops, fake DEX interfaces, and wallet drainers.
The Cetus smart contract breach has sparked debate about the security of emerging blockchains like Sui and Aptos. Critics, including X user @ItsDave_ADA, argue that validator-driven freezes undermine decentralization, transforming networks into “centralized, permissioned databases” Dedaub. This tension between security and decentralization is a recurring challenge for DeFi.
The hack also highlights the need for industry-wide standards. The Sui Foundation’s $10 million commitment to security initiatives, including audits and formal verification, is a step forward, but broader collaboration is needed to address systemic vulnerabilities The Defiant.
The $223 million Cetus Protocol smart contract breach is a stark reminder of the vulnerabilities inherent in DeFi’s rapid innovation. As cybercriminals grow more sophisticated, developers and users must prioritize security through rigorous audits, real-time monitoring, and robust design practices.