Cetus Protocol, the leading decentralized exchange on the Sui blockchain, has issued a $6 million whitehat bounty to the attacker responsible for a staggering $223 million exploit.
In a May 22 statement, Cetus confirmed it had traced the attacker’s Ethereum wallet and sent an on-chain message offering a legal settlement. The offer: return 20,920 ETH and all frozen Sui assets in exchange for 2,324 ETH (~$6M) and a promise of no legal pursuit.
“This is a limited-time opportunity,” the message reads. “Any attempt to mix or off-ramp the funds will nullify the offer.”
Cetus says it is working with the Sui Foundation, Inca Digital (a cybersecurity firm), law enforcement, FinCEN, and even the U.S. Department of Defense to recover the stolen assets.
Spoof Tokens and Flash Swaps Used to Drain Funds
The exploit targeted Cetus’ concentrated liquidity pools by manipulating internal pricing logic. The hacker used spoof tokens—fake or misleading assets—to inject minimal liquidity into trading pools. They then coordinated these deposits with flash swaps and timing-based manipulation to exploit the protocol’s pricing mechanism.
This led to a systemic accounting flaw that allowed the attacker to withdraw valuable tokens like SUI and USDC at severely skewed rates.
Despite having passed recent security audits, Cetus failed to detect the exploit, which stemmed from complex logic and not standard code vulnerabilities.
Hacker Drains Millions, Ecosystem Plunges
The attacker initially stole $11 million from a single SUI/USDC pool, then expanded the breach to bridge over $60 million to Ethereum—converting much of it into ETH. As of the latest reports, their wallets still hold millions in ETH, SUI, and stablecoins.
The impact has been severe across the Sui ecosystem. CETUS dropped as much as 33%, while smaller tokens like AXOL, HIPPO, and SQUIRT collapsed. SUI itself saw a 15% drop. Trading volume surged as users rushed to exit.
Cetus has since paused smart contracts to contain the damage and assess next steps.
