Inicio - Blog - Cetus DEX Breach on Sui: a $223 Million Lesson in Basic Math

Cetus DEX Breach on Sui: a $223 Million Lesson in Basic Math

What happened? On 22 May a single attacker drained roughly $223 million from the concentrated-liquidity pools on Cetus DEX, the flagship exchange of the Sui ecosystem. Most of the loot was swapped from SUI into USDC, bridged to Ethereum and hurried through mixers.

The flaw in plain language

Deep inside the liquidity-math library lurked an unchecked integer overflow. By nudging that weakness the attacker could inflate the pool’s virtual reserves, then withdraw genuine tokens against phantom balances. Because the contract let several steps run inside one transaction, the entire exploit fit into a single block.

What was frozen

Validators on Sui reacted within minutes, halting suspicious transfers and freezing about $163 million of the stolen value. The remaining ± $60 million escaped before the net closed.

Cetus’ response blueprint

Post-mortem first. Two days later the team laid out the bug line-by-line and took public blame.
Make LPs whole. A reimbursement plan—funded partly by the Sui security fund—is now circulating for community vote.
Audit, then relaunch. Halborn and Dedaub are re-auditing every contract; pools will reopen only after test-net trials with withdrawal caps.

Market ripple

SUI briefly slipped below $3.50 on the news, but clawed back most of the loss once the freeze and compensation plan were confirmed. Network TVL, however, remains down about 18 percent.

Takeaways for builders and users

Third-party code isn’t “safe by default.” Open source still needs a fresh audit every release.
One action, one critical step. Long atomic chains are catnip for attackers.
Live on-chain monitoring pays. Catching the exploit fast is the reason two-thirds of the funds stayed put.

What’s next

Validators will vote in early June on how to redistribute the frozen tokens to affected LPs.
Cetus pools will stay offline until the new audits clear and hard limits on single-tx withdrawals are in place.
The team is coordinating with exchanges and chain-analysis firms to trace the missing $60 million and prepare a civil claim.

Bottom line
Even “next-gen” blockchains can stumble over a classic overflow. While projects race to ship new features, basic math remains the soft spot attackers probe first. For anyone providing liquidity, the safest wager is still diversification—and a close eye on audit reports, not just juicy APR figures.

Otros artículos relacionados

Weekly Crypto Digest — 1 to 8 August 2025

A packed week: the UAE unifies its licensing regime, MetaMask reveals a Stripe-backed stablecoin, and OpenAI pushes GPT-5 live for free. Here are the key headlines and why they matter.

08 Aug, 2025

How to Buy and Use Toncoin (TON) Directly in Telegram — Quick Guide

Step-by-step guide to create a Telegram wallet, buy TON via P2P, card or xgram.io swap, and use or cash out your coins without leaving the app.

05 Aug, 2025

Stablecoins 2025: what they are, how to choose and buy

A beginner-friendly guide: why you need stablecoins, how to get them with P2P or a bank card, what risks to watch for and how taxes work.

04 Aug, 2025

Weekly Crypto & Tech Digest | 26 July – 1 August 2025

The 26 July – 1 August 2025 digest recaps the week’s major crypto headlines: Toncoin payments have gone live in Telegram’s in-app gifts marketplace, the Ethereum Foundation unveiled a decade-long Lean Roadmap aimed at 10,000 TPS, and Strategy converted $2.52 billion in IPO proceeds into 21,021 BTC. Explore these stories and more inside the latest review.

01 Aug, 2025