Sui-based decentralized exchange Cetus Protocol is offering a $6 million reward to the perpetrator of a $223 million exploit, provided the hacker returns the bulk of the stolen assets.
The attack, which took place on May 22, drained liquidity pools by abusing a pricing mechanism vulnerability. The hacker used spoof tokens to manipulate pool values and conducted strategic flash swaps to deceive Cetus’ internal accounting system.
Cetus is offering the attacker a whitehat settlement: return over 20,000 ETH and all compromised Sui assets and keep 2,324 ETH (~$6 million) as a bounty. The offer includes a promise of legal immunity, but it is void if the funds are mixed or withdrawn via off-ramps.
The protocol confirmed it has identified the attacker’s Ethereum wallet and is coordinating with cybercrime experts, the Sui Foundation, Inca Digital, FinCEN, and the U.S. Department of Defense.
DeFi on Sui Faces Security Reckoning
The exploit bypassed traditional code-based vulnerabilities by targeting deeper economic logic, avoiding standard audit detection. Cetus had recently passed security reviews before the attack.
The initial strike extracted $11 million from an SUI/USDC pool. The attacker then escalated, bridging over $60 million to Ethereum, where they acquired 21,900 ETH. Additional assets remain locked across both Ethereum and Sui.
Market Chaos and Fallout
Following the attack, SUI plunged 15%, while CETUS dropped up to 33%. Other tokens like HIPPO, SQUIRT, and AXOL lost nearly all their value. Market activity spiked as users fled liquidity pools.
Cetus has since halted all smart contract activity and is working to patch vulnerabilities. The exploit has prompted renewed debate about the security risks of deploying advanced DeFi systems on newer blockchains like Sui and Aptos.
Analysts say this case underscores the urgent need for deeper stress testing and new approaches to DeFi security in rapidly evolving ecosystems.
