In a May 26 postmortem filled with equal parts damage control and digital drama, DeFi platform Cetus revealed how a sneaky smart contract vulnerability in an open-source library led to a massive exploit, with the hacker making off with millions before getting partially stopped in their tracks.
Flash Swaps, Fake Liquidity, and a Code Slip-Up
The attacker used a feature known as a flash swap, basically a “borrow now, repay instantly” kind of crypto magic trick, to manipulate pool prices. By adding bogus liquidity with a few tokens and withdrawing large amounts of real ones across multiple rounds, they drained several trading pools in broad daylight. The digital sleight of hand worked because of a pesky left-shift overflow bug in a third-party library, which failed to properly limit giant numerical values.
Cetus was quick to clear the air:
“This issue has nothing to do with the MAX_U64 bug flagged in past audits,” the team said. “The root cause was a faulty overflow check that basically let numbers run wild.”
Swift Moves, Big Losses, and a Surprising Offer
The Cetus team detected the suspicious activity within 10 minutes and hit the brakes, pausing trading and contacting Sui validators, who promptly froze the attacker’s wallets. Their quick action locked down about $162 million before it could vanish off the network, though some funds still managed to escape to Ethereum.
Meanwhile, CETUS, the platform’s token, tanked by 40%, and USDC briefly lost its dollar peg thanks to the chaos. Total value locked on the Sui network nosedived from $2.13 billion to $1.92 billion, not exactly the kind of dip anyone enjoys.
🚨BREAKING: USDC ON SUI DEPEGGED TO ZERO
— HodlFM Team (@Hodl_fm) May 22, 2025
Someone has removed the liquidity, all the $SUI tokens are dumping.
Will keep you posted. pic.twitter.com/eX9TyI75t6
Cetus has promised a full contract re-audit, improved monitoring tools, and a user recovery plan. They're also asking Sui validators to vote on chain to support restitution efforts. And in the most eyebrow-raising twist of all, they’ve reached out to the hacker with a $6 million white hat bounty, basically saying: "Give the money back, keep the tip, and we’ll call it even."
Some community members applauded the swift response. Others, however, raised red flags about the ability to freeze wallets, questioning how “decentralized” the network really is. Either way, it’s clear that in DeFi, drama moves as fast as the tokens.
Gunel Ismayilova
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
