{"id":24201,"date":"2025-05-22T14:48:45","date_gmt":"2025-05-22T11:48:45","guid":{"rendered":"https:\/\/forklog.com\/en\/hackers-drain-11m-from-cetus-pool-on-sui\/"},"modified":"2025-05-22T14:48:45","modified_gmt":"2025-05-22T11:48:45","slug":"hackers-drain-11m-from-cetus-pool-on-sui","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-drain-11m-from-cetus-pool-on-sui\/","title":{"rendered":"Hackers drain $11m from Cetus pool on Sui"},"content":{"rendered":"<p>Attackers targeted pools on the Cetus DEX on Sui. They siphoned $11 million from the SUI\/USDC liquidity pool, triggering price drops of about 75% for most tokens and leaving reserves nearly depleted.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">? BREAKING: Cetus, main LP provider DEX on <a href=\"https:\/\/twitter.com\/search?q=%24SUI&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$SUI<\/a>, allegedly hacked.<\/p>\n<p>$11M in <a href=\"https:\/\/twitter.com\/search?q=%24SUI&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$SUI<\/a> drained from SUI\/USDC pool, with most tokens down 75%+ as pools are emptied. <a href=\"https:\/\/t.co\/sWKwsZGjaM\">pic.twitter.com\/sWKwsZGjaM<\/a><\/p>\n<p>\u2014 Cointelegraph (@Cointelegraph) <a href=\"https:\/\/twitter.com\/Cointelegraph\/status\/1925509145366503486?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Cetus is the main liquidity provider platform for the DeFi ecosystem.<\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">22 May 2025 | 18:23<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>The founder of SuiNetwork Africa, known as Nefarii.sui, <a href=\"https:\/\/x.com\/NefariiLightt\/status\/1925563010740826606\">summarised<\/a> what is known about the incident:<\/p>\n<ul class=\"wp-block-list\">\n<li>the attacker exploited a vulnerability in the Cetus protocol;<\/li>\n<li>funds worth ~$220 million were affected; <\/li>\n<li>$160 million have already been frozen and may be recovered\u2014they will be returned to the Cetus liquidity pool;<\/li>\n<li>the Cetus team and Sui developers are working to recover the remaining $60 million;<\/li>\n<li>the network itself was not affected;<\/li>\n<li>Cetus Protocol has fixed the vulnerability and resumed operations.<\/li>\n<\/ul>\n<\/div>\n<p>Over the past hour, SUI fell by almost 5%.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/SUIUSDT_2025-05-22_14-36-51-1024x565.png\" alt=\"SUIUSDT_2025-05-22_14-36-51\" class=\"wp-image-259209\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/SUIUSDT_2025-05-22_14-36-51-1024x565.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/SUIUSDT_2025-05-22_14-36-51-300x165.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/SUIUSDT_2025-05-22_14-36-51-768x424.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/SUIUSDT_2025-05-22_14-36-51.png 1438w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Hourly chart of SUI\/USDT on Binance. Source: <a href=\"https:\/\/www.tradingview.com\/chart\/?symbol=BINANCE%3ASUIUSDT\">TradingView<\/a>.<\/figcaption><\/figure>\n<p>The CETUS token dropped 30%.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/CETUSUSDT_2025-05-22_14-42-03-1024x565.png\" alt=\"CETUSUSDT_2025-05-22_14-42-03\" class=\"wp-image-259210\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/CETUSUSDT_2025-05-22_14-42-03-1024x565.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/CETUSUSDT_2025-05-22_14-42-03-300x165.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/CETUSUSDT_2025-05-22_14-42-03-768x424.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/CETUSUSDT_2025-05-22_14-42-03.png 1438w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Hourly chart of SUI\/USDT on OKX. Source: <a href=\"https:\/\/www.tradingview.com\/chart\/?symbol=OKX%3ACETUSUSDT\">TradingView<\/a>.<\/figcaption><\/figure>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">22 May 2025 | 15:16<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>The Cetus team confirmed the incident.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">?Alert Announcement ?<\/p>\n<p>There was an incident detected on our protocol and our smart contract has been paused temporarily for safety. The team is investigating the incident at the moment. A further investigation statement will be made soon. We are grateful for your patience.<\/p>\n<p>\u2014 Cetus? (@CetusProtocol) <a href=\"https:\/\/twitter.com\/CetusProtocol\/status\/1925515662346404024?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAnomalous activity detected. Smart contracts temporarily paused. We are investigating the situation. More details will follow later,\u201d \u2014<\/em> said the DEX<em>.<\/em><\/p>\n<\/blockquote>\n<p>Part of the Sui community believes the episode is linked not to a hack but to an oracle error\u2014the mechanism responsible for price data.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/search?q=%24CETUS&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$CETUS<\/a> IS NOT HACKED. <\/p>\n<p>BUG IN THE ORACLE.<\/p>\n<p>FALSE ALARM AND I GOT A NICE FUD ENTRY <a href=\"https:\/\/t.co\/BF905WDs9r\">pic.twitter.com\/BF905WDs9r<\/a><\/p>\n<p>\u2014 Lieutenant Ponzi (@LieutenantPonzi) <a href=\"https:\/\/twitter.com\/LieutenantPonzi\/status\/1925512574583357843?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<p>Journalist Colin Wu reported that a hacker at address 0xe28b\u2026e8ff06 drained liquidity from several Cetus pools and swapped it for SUI. The address currently holds assets worth ~$150 million, including 12.989 million SUI (~$54 million).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Suiscan shows that the hacker: 0xe28b\u2026e8ff06 drained token liquidity from various Cetus pools and swapped it for SUI. The hacker currently holds assets worth ~$150 million, including 12.989 million SUI (~$54 million).<\/p>\n<p>\u2014 Wu Blockchain (@WuBlockchain) <a href=\"https:\/\/twitter.com\/WuBlockchain\/status\/1925513939313729563?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">22 May 2025 | 17:28<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>The attacker is moving funds across chains and converting them to ether. The address on Ethereum holds more than 9,200 ETH (about $24 million), and the sum is still rising, Wu noted.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">The hacker is performing cross-chain operations and exchanging them for ETH. Currently, the hacker: 0x89\u2026919b holds more than 9,200 ETH (worth about $24 million) on Ethereum and is still expanding.<\/p>\n<p>\u2014 Wu Blockchain (@WuBlockchain) <a href=\"https:\/\/twitter.com\/WuBlockchain\/status\/1925521419292876892?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Binance founder Changpeng Zhao said he is doing what he can to help Sui.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We are doing what we can to help SUI. Not a pleasant situation. Hope everyone stay SAFU!<\/p>\n<p>\u2014 CZ ? BNB (@cz_binance) <a href=\"https:\/\/twitter.com\/cz_binance\/status\/1925521793231548508?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Bluefin, the second-largest DEX on Sui, temporarily paused its spot platform to protect users.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">To protect our users, we\u2019ve temporarily paused actions on Bluefin Spot as a precautionary measure. We want to emphasize that Bluefin remains fully secure.<\/p>\n<p>Our team is actively monitoring the situation. Thank you for your trust.<\/p>\n<p>\u2014 Bluefin (@bluefinapp) <a href=\"https:\/\/twitter.com\/bluefinapp\/status\/1925533269262582013?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Momentum, the ecosystem\u2019s third-largest DEX by volume, suspended all activities as a precaution.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Due to the ongoing exploit on Cetus, we temporarily paused all activities on Momentum as a precautionary measure. All funds are 100% SAFE. We are in communication with the Sui foundation regarding next steps.<\/p>\n<p>\u2014 Momentum (@MMTFinance) <a href=\"https:\/\/twitter.com\/MMTFinance\/status\/1925530002566594882?ref_src=twsrc%5Etfw\">May 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<p>On May 22, on-chain sleuth ZachXBT <a href=\"https:\/\/forklog.com\/en\/news\/hacker-linked-to-300-million-coinbase-theft-swaps-45-million-via-thorchain\">reported<\/a> that an unknown party linked to the $300 million theft from Coinbase users swapped $42.5 million in bitcoin for ether via Thorchain.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers targeted pools on the Cetus DEX on Sui. They siphoned $11 million from the SUI\/USDC liquidity pool, triggering price drops of about 75% for most tokens and leaving reserves nearly depleted. ? BREAKING: Cetus, main LP provider DEX on $SUI, allegedly hacked. $11M in $SUI drained from SUI\/USDC pool, with most tokens down 75%+ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24200,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,787,1651],"class_list":["post-24201","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-dex","tag-sui-sui"],"aioseo_notices":[],"amp_enabled":true,"views":"182","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24201","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=24201"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24201\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/24200"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=24201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=24201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=24201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}