Cryptocurrency Vulnerability Exploited in $223 Million Cetus Protocol Hack

Ionut Arghire reports in Security Week that on May 22, hackers exploited a vulnerability in the Cetus Protocol, a decentralized liquidity provider operating on the SUI blockchain, to steal approximately $223 million in cryptocurrency.

The exploit targeted the smart contract governing Cetus’s liquidity pools, prompting Cetus to suspend operations. The stolen funds, primarily SUI tokens and stablecoins, were partially frozen, but the incident remains one of the largest crypto thefts this year.

The Cetus Protocol, built on open-source smart contract code, utilized a vulnerable library that served as the entry point for the attackers.

By manipulating the liquidity pool’s tick and pricing mechanisms, hackers executed repeated cycles of draining token reserves.

After acquiring assets, the hackers converted USDT (stablecoins) to USDC (a stablecoin that maintains a price of $1), bridged the funds to Ethereum, and transferred them to newly identified wallet addresses.

Despite the breach, Cetus has frozen $162 million and is working with the Sui Foundation and its partners to recover the remaining stolen funds.

In response, Cetus has offered the perpetrators a “whitehat settlement,” proposing they keep $6 million as a bounty if they return the rest. The company also announced a recovery plan that includes covering all lost assets using internal cash reserves, token treasuries, and a critical loan from the Sui Foundation.

The firm has committed to restoring all affected users’ funds and functionality, pending a community vote.

This breach underscores the legal and operational vulnerabilities in decentralized finance (DeFi) platforms, particularly involving open-source code. Law firms advising blockchain or fintech clients should emphasize rigorous contract auditing, robust incident response planning, and regulatory compliance.

The case also highlights the growing trend of “whitehat” negotiations post-breach, creating potential legal complexities in fund recovery and settlement structuring. Legal counsel must prepare clients for both preventive cybersecurity strategies and post-incident negotiations.