Cetus Protocol, the biggest decentralized trade on the Sui blockchain, is providing a $6 million bounty to the hacker behind an enormous $223 million exploit that occurred on Could 22.
In a Could 22 follow-up assertion accompanied by an on-chain message, the Cetus crew confirmed that they had recognized the attacker’s Ethereum pockets and provided a “whitehat settlement” to get well person funds. The hacker is being requested to return 20,920 ETH and all frozen property on Sui (SUI) in trade for conserving 2,324 Ethereum (ETH), value roughly $6 million, and immunity from authorized motion.
Cetus stated this can be a time-sensitive supply and that if the funds are off-ramped or blended, the deal is off. The crew is coordinating with regulation enforcement, cybercrime specialists, the Sui Basis, and regulators together with FinCEN and the U.S. Division of Protection. Inca Digital, a cybersecurity agency, is main the negotiation efforts.
https://twitter.com/cetusprotocol/standing/1925653859143172608?s=46&t=nznXkss3debX8JIhNzHmzw
The breach exploited a vulnerability in Cetus’ pricing mechanism and impacted its concentrated liquidity market maker swimming pools. The attacker used spoof tokens, that are faux or low-value property with manipulated metadata, to inject tiny quantities of liquidity into buying and selling swimming pools.
Due to the distortion of these swimming pools’ inner accounting, the hacker was capable of take out substantial portions of beneficial tokens, similar to SUI and USD Coin (USDC), at incorrect trade charges.
The attacker deceived the system into believing the swimming pools had been balanced by rigorously timing these spoof token deposits with complicated flash swaps and worth manipulation. In consequence, they had been capable of drain substantial actual property with out supplying equal worth.
Cetus had reportedly handed latest safety audits previous to the hack. Nevertheless, by exploiting inner pricing logic and financial assumptions somewhat than easy code errors, the attacker’s technique evaded typical vulnerability scans.
After initially draining $11 million from an SUI/USDC pool, the attacker rapidly intensified the assault. They bridged greater than $60 million in stolen funds to Ethereum and purchased over 21,900 ETH. They at the moment have tens of millions of SUI, ETH, and stablecoins of their wallets.
The Sui ecosystem was severely broken by the exploit. Smaller tokens like AXOL, HIPPO, and SQUIRT misplaced virtually all of their worth, whereas the SUI token dropped as a lot as 15%. CETUS, the token of Cetus, fell 20–33%. Buying and selling volumes surged as customers scrambled to withdraw funds.
Cetus has paused good contracts following the hack the hack and is trying to safe its platform. The incident raises questions in regards to the safety of DeFi protocols on newer chains like Sui and Aptos (APT). Though these ecosystems supply innovation, analysts warn that vulnerabilities in complicated DeFi logic stay a persistent danger.