On May 22, the Sui ecological Cetus protocol had a sudden security incident, and how to deal with the frozen funds became the focus of community attention. On May 24, Sui officially announced its support for the on-chain governance proposal initiated by Cetus to return the frozen funds through protocol upgrades, but with two additional conditions - the official will give up voting rights, remain neutral, and require Cetus to promise to use all financial resources to achieve full compensation from users.

On May 28, Cetus officials announced that they have the ability to fully compensate for off-chain stolen assets, including key loans from the Sui Foundation, but this is contingent upon the community voting to approve the protocol upgrade to unlock the frozen assets.

As a result, Cetus is requesting a community-led vote to recover the funds that were frozen in last week's attack. In response, the Sui Foundation agreed to assist in initiating a vote between Sui validators, who represent the interests of their stakers and the network as a whole. Sui holders and stakers can also directly participate in voting through staking delegation.

Cetus' proposal is to perform a protocol upgrade to recover all funds currently frozen in two hacker addresses without the need for a hacker's signature. If the proposal passes, the funds will be transferred and held in a multisig custodial wallet until they can be returned to accounts that have held positions in Cetus. The funds will be held in custody in a multi-signature controlled wallet, which is controlled by a 6-4-signature mechanism consisting of Cetus, Sui Foundation, and OtterSec. Voting "yes" means that you support the transfer of frozen assets to the trust wallet and return them to users in batches under the verification mechanism; Voting "no" means refusing to make such an upgrade.

Regardless of the voting results, Cetus stated that it will immediately initiate the recovery plan after the voting ends, with detailed plans to be announced soon.

As of the time of writing, the price of CETUS token has surpassed $0.16, with a 24-hour increase of 27%. Whether the Cetus funding recovery plan can be implemented, under the positive market feedback and endorsement from the foundation, still depends on the upcoming Sui community vote.

The following is the version at the time of the article's first release:

On the afternoon of May 22, the leading DEX liquidity protocol Cetus Protocol on the Sui chain saw a sudden and significant drop in the price of its token CETUS, which almost "plummeted." Additionally, multiple token trading pairs on Cetus experienced a sharp decline. Subsequently, many KOLs posted on X, stating that the LP pool of the Cetus protocol had been attacked by hackers.

According to on-chain monitoring, the Cetus attackers seem to have controlled all LP pools priced in SUI, with the amount stolen exceeding $260 million as of the time of writing. Currently, the hackers have begun converting the funds to USDC and cross-chain transferring them to the Ethereum mainnet for conversion to ETH, with approximately 60 million USDC already completed in cross-chain transfers.

The hacker's on-chain address is: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06. Currently, the main assets in this address are still primarily SUI and USDT, but it also includes mainstream tokens from the Sui ecosystem such as CETUS, WAL, DEEP, etc., indicating that the scope of this hacker attack is very wide.

On the evening of the 22nd, a member of the Cetus team stated in the project's Discord group chat that the Cetus protocol had not been hacked, but rather there was a "oracle bug." However, on-chain data does not lie; according to statistics, the losses in the Cetus protocol's LP pool exceeded $260 million within 1 hour after the hack occurred, surpassing the protocol's TVL of $240 million and market cap of $180 million.

On the morning of the 23rd, Cetus officially announced the latest developments regarding the recent theft on social media, stating that the team has identified the root cause of the vulnerability and has fixed the related software packages. They have also hired a professional anti-cybercrime organization to assist with our fund tracking and negotiations regarding the safe return of the funds. Currently, discussions are ongoing with law enforcement, and further assistance is being arranged.

It is worth noting that the officials have confirmed the Ethereum wallet address controlled by the hackers involved in the attack earlier today and have negotiated with them regarding the return of customer funds. A payment of the outstanding balance has been proposed under the name of white hat hackers, but time is limited. If the hackers accept the terms, no further legal action will be taken.

Community opinion points out the team's "theft history"

Interestingly, as Cetus triggered a collapse in the SUI ecosystem, many community members also pointed out on Twitter that Cetus and the previous Solana ecosystem DeFi protocol Crema Finance were developed by the same team, and Crema had previously experienced a theft incident.

On July 3, 2022, Crema Finance was also attacked by hackers using a Solend flash loan, resulting in the liquidity pool being drained and losses exceeding 8 million dollars. Subsequently, on July 7, after negotiations with the team, the hacker returned 7.6 million dollars worth of stolen cryptocurrency. According to the negotiated agreement, the hacker was allowed to keep 45,455 SOL (1.65 million dollars) as a bounty.

Looking back at the Cetus theft incident, the protocol also suffered losses because the attacker controlled the LP pool. At the same time, the team proposed negotiating with the hacker by paying the outstanding balance in the name of white-hat hackers. Currently, there is no public information proving that Crema and Cetus are indeed developed by the same team, but from the perspective of both the reason for the theft and the subsequent handling method, the two are indeed consistent.

Sui Officially Freezes Hacker Transactions, "on-chain" Review Actions Raise Centralization Concerns

According to DeFiLlama data, Cetus has previously been the leading DEX and liquidity hub in the Sui ecosystem, accounting for over sixty percent of the total trading volume in the ecosystem. This "liquidation-style" attack has undoubtedly directly undermined the liquidity center of the ecosystem, which would be a devastating blow for any "second-tier public chain."

Since March last year, the trading volume on the Sui ecosystem's on-chain has been showing an overall upward trend, with the prices of mainstream ecosystem tokens such as CETUS, DEEP, and WAL soaring, widely regarded by the community as the public chain with the highest potential for returns in this cycle and the "next Solana."

However, interestingly, according to data from Dune, there has been a large amount of wash trade on the Sui on-chain, with ecological liquidity toxicity (Flow Toxicity) remaining close to 50% for a long time. This is also part of the reason why the community reports that the Sui ecosystem "has nothing, yet the price keeps rising."

Illustration: The radius of the circle in the figure below shows the total transaction volume of a single address. It can be seen that the wallet with the highest transaction volume also has a high transaction frequency, indicating the possibility of wash trading; Data source: Dune Analytics

However, Sui's "strong whale" persona has been established in the minds of traders for quite some time. Over the past month, during the recovery of altcoins, Sui has also been one of the most outstanding performers among mainstream public chains. In response to this major ecological theft, the foundation indeed lived up to expectations, quickly providing a response that further reinforced its "strong whale persona."

On the evening of the 22nd, around 11 PM, the Sui official announced that in order to "protect the Sui ecosystem," a large number of Sui network validators confirmed the hacker addresses with stolen funds and ignored the transactions from these addresses. The CETUS team is also actively exploring ways to recover these funds and return them to the community, and will soon release an incident report.

As soon as the news broke, the community erupted, and "public chain review of transactions" became the biggest point of controversy. Many X users believe that Sui's response undermines its decentralized positioning, turning Sui from a "public chain" into a "centralized permissioned database."

According to Sui's official documentation, transactions on the Sui network are split into two categories: only "exclusive objects" or both "shared objects", and only transactions involving shared objects must enter the consensus of the whole network, while purely exclusive object transactions can take the "direct fast path" (direct fast path) and can be executed without global ordering. As long as validators in the network with >2/3 of the total stake are honest, the network can theoretically guarantee both security (no double-spending) and viability (valid transactions will eventually be executed).

Under the delegated PoS + BFT design of Sui, to achieve continuous and indiscriminate transaction review, it is necessary to jointly control more than 1/3 of the staked voting power. The review by a single or a few nodes can only cause temporary delays and can easily be seen as malicious behavior, leading to delegates "voting offline" in the next epoch. This is also what the official documentation emphasizes regarding "censorship resistance and openness." Clearly, the Sui Foundation controlled at least 1/3 of the entire network's staked voting power during this hacking incident.

The controversy surrounding "centralized public chains" began during the last cycle with Solana. Some community members have pointed out that "anti-censorship properties" are not the most important attributes for current crypto investors. In a world still focused on returns and core objectives, perhaps "pump and dump" is justice.

：