The Sui Ecosystem Cetus Protocol experienced a security incident on May 22nd, sparking community concern on how to handle the frozen funds. On May 24th, the Sui team announced support for a governance proposal by Cetus, which aims to perform a protocol upgrade to return the frozen funds. However, two conditions were attached to this proposal—officially relinquishing voting rights and maintaining neutrality, and requiring Cetus to commit to using all financial resources to achieve full user compensation.

On May 28th, the Cetus team stated in a post that they now have the ability to fully compensate for the off-chain stolen assets, including a crucial loan from the Sui Foundation, contingent on a community vote passing for the protocol upgrade to unlock the frozen assets.

Therefore, Cetus has requested to initiate a community-led vote to recover the funds frozen during last week's attack. In response, the Sui Foundation has agreed to facilitate a vote among Sui validation nodes, which represent the interests of their staked users and the entire network. Sui token holders and stakers can also participate directly in the vote through staking delegation.

Cetus's proposal involves executing a protocol upgrade to recover all funds currently frozen in two hacker addresses without requiring the hacker's signature. If the proposal is successful, these funds will be transferred and held in a multi-signature custody wallet until they can be returned to the accounts that previously held positions in Cetus. This fund will be held in a multi-signature controlled wallet through a 6-of-6 and 4-of-6 mechanism consisting of Cetus, the Sui Foundation, and the auditing firm OtterSec. A "Yes" vote indicates support for transferring the frozen assets to this trust wallet for gradual return to users under a verification mechanism, while voting "No" means rejecting such a protocol upgrade.

The specifics of the protocol upgrade are as follows: a specific address will be allowed to act in only two predefined transactions, each representing one of the hacker addresses. In other words, we will define two (hacker_address, aliased_address, TransactionDigest) tuples. For each tuple, the aliased_address will only be allowed to act as the hacker_address in a specific transaction. This mechanism is solely applicable to these two recovery transactions and cannot be used for any other purpose. Once the recovery addresses are determined, these two transactions will be constructed and made public.

Regardless of the voting outcome, Cetus has stated they will immediately commence the recovery plan post-vote, with detailed plans set to be announced soon.

At the time of writing, the CETUS token price has surpassed $0.16, with a 24-hour increase of 27%. With positive market feedback and foundation endorsement, whether the Cetus fund recovery plan can be implemented still depends on the upcoming Sui community vote.

The following is the version of this article at the time of its first release:

On the afternoon of May 22, the Sui on-chain DEX liquidity protocol Cetus Protocol's token CETUS suddenly experienced a sharp drop, with the price almost "rug pulled," and several token pairs on Cetus also saw a significant decline. Subsequently, many KOLs posted on X, stating that the Cetus protocol's LP pool had been attacked by a hacker.

According to on-chain monitoring, the Cetus attacker appeared to control all LP pools denominated in SUI, with the stolen amount exceeding $260 million at the time of writing. Currently, the hacker has begun converting funds to USDC and cross-chaining to the Ethereum mainnet to exchange for ETH, with approximately 60 million USDC already transferred cross-chain.

The hacker's on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. The main assets in this address are still SUI and USDT, but Sui ecosystem mainstream tokens such as CETUS, WAL, DEEP are also included, indicating the extensive scope of this hack.

On the night of the 22nd, a member of the Cetus team stated in the project's Discord group that the Cetus protocol was not stolen but experienced an "oracle bug." However, on-chain data does not lie, and based on statistics, the loss in the Cetus protocol's LP pool exceeded $260 million within an hour after the theft incident, surpassing the protocol's TVL ($240 million) and market cap ($180 million).

On the morning of the 23rd, the Cetus team posted the latest update on the theft incident on social media, stating that the team had identified the root cause of the vulnerability, fixed the related packages, and hired a professional anti-cybercrime organization to support our fund tracking and negotiations for the return of the funds securely. Negotiations with law enforcement are currently underway, and further assistance is being arranged.

It is worth noting that the team has confirmed that they have identified the Ethereum wallet address controlled by the hacker responsible for today's earlier attack and have been in discussions with them regarding the return of customer funds. An offer has been made to pay back the remaining balance in the name of a white-hat hacker, but time is limited. If the hacker accepts the terms, no further legal action will be taken.

Community Opinion Points Out Team's "History of Being Hacked"

Interestingly, as Cetus triggered a crash in the SUI ecosystem, many community members also pointed out on Twitter that Cetus was developed by the same team behind the Solana ecosystem DeFi protocol Crema Finance, which had experienced a previous hack.

On July 3, 2022, Crema Finance also fell victim to a hacker who used a Solend flash loan attack, draining the LP pool and causing a loss of over $8 million. Subsequently, on July 7, after negotiations with the team, the hacker returned stolen cryptocurrency worth $7.6 million. Under the terms of the negotiation agreement, the hacker was allowed to keep 45,455 SOL (worth $1.65 million) as a bounty.

Looking back at the recent Cetus hack, the protocol also suffered losses as the attacker controlled the LP pool. The team also proposed negotiating with the hacker to pay back the remaining balance in the name of a white-hat hacker. There is currently no public information confirming that Crema and Cetus were indeed developed by the same team, but based on the reasons for the hacks and the subsequent handling, they do seem aligned.

Sui Official Steps In to Freeze Hacker's Transactions, "On-Chain Surveillance" Behavior Raises Centralization Concerns

According to DeFiLlama data, Cetus had always been the flagship DEX and liquidity hub in the Sui ecosystem, with its trading volume accounting for over 60% of the entire ecosystem. This "fire sale" attack undoubtedly directly disrupted the ecosystem's liquidity core. On any "second-tier public chain," this would be a devastating blow.

Since March of last year, on-chain transaction volumes in the Sui ecosystem have been on the rise overall. Mainstream ecosystem tokens like CETUS, DEEP, and WAL have seen significant price increases, widely regarded by the community as the public chain with the highest return potential in this cycle and the "next Solana."

However, interestingly, according to Dune data, there has been a significant amount of wash trading on-chain in Sui, with ecosystem liquidity toxicity consistently nearing 50%. This is part of the reason why the community has criticized the Sui ecosystem, saying "there's nothing there; the price just keeps going up."

Illustration: The radius of the circle in the figure below shows the total transaction volume of a single address. It can be seen that the wallet with the highest transaction volume also has a high transaction frequency, indicating the possibility of wash trading; Source: Dune Analytics

However, Sui's "strong market maker" image has long been established in the minds of traders. During the altcoin rally in the past month, Sui has also been one of the most prominent performers among mainstream blockchains. Faced with this major ecosystem theft, the foundation did not disappoint, promptly responding and once again reinforcing its "strong market maker" image.

Around 11:00 PM on the 22nd, Sui officially announced that, to "protect the Sui ecosystem," a large number of Sui network validators used the stolen funds to identify the hackers' addresses and ignored transactions from these addresses. The CETUS team is also actively exploring ways to recover these funds and return them to the community, and will soon publish an incident report.

Upon this news, the community exploded, with "public chain scrutiny transactions" becoming the biggest point of contention. Many users believe that Sui's response is undermining its decentralization positioning, transforming Sui from a "public chain" to a "centralized permissioned database."

According to Sui's official documentation, transactions on the Sui network are divided into two types: those involving only "exclusive objects" or those involving both "shared objects." Only transactions involving shared objects must enter full network consensus, while transactions involving purely exclusive objects can follow the "direct fast path," executing without the need for global ordering. As long as more than 2/3 of the total staked validators in the network are honest, the network theoretically ensures both security (no double-spending) and liveness (valid transactions will eventually be executed).

In Sui's Delegated PoS + BFT design, to achieve continuous, unbiased transaction review, joint control of over 1/3 of the staking voting power is required. Review by a single or a few nodes can only cause temporary delays and is easily considered malicious behavior, leading to staking individuals being "voted offline" in the next epoch, as emphasized in the official documentation on "censorship resistance and openness." It is clear that the Sui Foundation controlled at least 1/3 of the network's staking voting power during this hacker incident.

The controversy surrounding "centralized public blockchains" began in the previous Solana cycle, and some community members also pointed out that "censorship resistance" is not the most important attribute for today's crypto investors. In a world still focused on returns and core values, perhaps "pump and dump" is the new justice.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia