Cetus DEX Confirms $223M Exploit Tied to Open-Source Bug, Proposes Onchain Vote to Recover Funds
Cetus Protocol, a decentralized exchange built on the Sui blockchain, has confirmed that a previously overlooked bug in an open-source library was responsible for a $223 million exploit that shook the platform last week.
The vulnerability, buried in the inter_mate library's checked_shlw method, stemmed from a misconfigured overflow check. Rather than validating inputs against a 192-bit limit—as intended—the method erroneously used a 256-bit check, opening the door to unchecked liquidity injections into Cetus’ Concentrated Liquidity Market Maker (CLMM) pools.
The attacker exploited this loophole by manipulating pool prices via a flash swap. Using a small token input, they injected artificially inflated liquidity, then rapidly withdrew it in multiple cycles—effectively draining the pools.
In a detailed post-mortem, Cetus clarified that this incident was unrelated to an earlier audit flag concerning a MAX_U64 arithmetic check, which had caused some confusion on social media. The team acted quickly, disabling its core CLMM pools within 30 minutes of the attack’s onset. Despite the swift response, losses had already mounted to $223 million, sparking sharp price drops across various Sui-based tokens.
Shortly afterward, Sui validators began rejecting transactions from the attacker’s wallets. Once one-third of the network’s stake voted to block these addresses, about $162 million in assets were effectively frozen on-chain. However, roughly $60 million had already been moved to Ethereum, converted into USDC, and swapped for ETH, according to blockchain analysts.
The validator intervention triggered debate within the crypto community, with some criticizing the move as a sign of centralization risk. Cetus acknowledged the controversy but emphasized the action was taken to protect user assets and now wants to put the next steps in the hands of the community.
Cetus is calling for an onchain vote involving validators and SUI stakers to determine whether the frozen funds should be recovered and returned to affected users.
“We want to recover and return the stolen funds, but we will respect whatever the community decides,” the team stated.
Cetus, alongside data analytics firm Inca Digital, has reached out directly to the attacker, requesting the return of approximately 20,920 ETH and the frozen assets on Sui. The DEX has promised no legal or public retaliation if the funds are returned voluntarily. So far, there has been no response, prompting Cetus to issue a $5 million bounty for any information leading to the hacker’s identification and arrest.