The Cetus Protocol, a decentralized exchange (DEX) built on the Sui blockchain, experienced a critical security breach on May 22. On-chain data confirmed the unauthorized drain of more than $260 million in digital assets from its liquidity pools. Still, after the first reports of a system error, many blockchain analysts linked the attack to using fake tokens and changing the price of cryptocurrencies.
Unusual On-Chain Activity Detected Before Breach Confirmation
Transaction data from on-chain tools showed a sudden big jump, before the exploit was publicly confirmed. On Monday, Cetus had over $2.9 billion in trades, compared with $320 million the day before. At the same time, the 800% surge happened as the platform began seeing much of its assets taken away. Lookonchain pointed out that 0xe28b50 was the primary wallet, with 12.9 million SUI valued at about $54 million.
Preliminary analysis indicated that the attacker used spoof tokens such as BULLA to exploit broken price curves and pool reserves. The attacker added minimal liquidity and then manipulated internal liquidity provider states to withdraw real assets like SUI and USDC. Extractor, a tool by cybersecurity firm Hacken, tracked at least $63 million bridged to Ethereum, including 20,000 ETH sent to a new wallet.
Seems like all @CetusProtocol LP were drained
Looking into tx, the likely exploit path was:
1. Swap in spoof token (e.g. BULLA → SUI), taking advantage of miscalculated price curve or broken reserve math.2. Add liquidity with a near-zero amount, to manipulate internal LP… pic.twitter.com/FtpYRSpwWW
— sashko🇺🇦 (@d0rsky) May 22, 2025
Cetus Team Pauses Contracts and Begins Internal Investigation
After detecting abnormal behavior, Cetus halted its smart contracts to prevent further losses. The team cited an incident within its liquidity infrastructure and is investigating the breach. Discord messages from team members claimed an oracle malfunction, but blockchain analysis showed that spoof tokens were used to alter the price curves and internal reserves.
After the breach, the cryptos AXOL and LBTC along with others on Cetus lost more than 75% of their worth. A huge difference in the token price resulted because the liquidity pool of the protocol was emptied. At the same time, the SUI token went up 3.15% and was trading at $4, while its 24-hour trade volume increased by 112% to a total of nearly $2.5 billion.
Knock-On Effects Across the Sui Ecosystem
The exploit affected more than Cetus. Sui-based money market Scallop, halted all borrowing functions, citing protocol risk. Onchain Lens reported that the attacker gained control over SUI-denominated pools and began moving USDC shortly after. Binance’s team has contacted Sui to offer assistance in ongoing recovery efforts.
As of writing, Cetus smart contracts remain paused, and most trading pairs display no liquidity data. The Cetus team has promised to publish a full statement after concluding its investigation. The wallet connected to the exploit continues to move assets, adding pressure to Sui’s DeFi infrastructure.
According to CoinMarketCap, Cetus Protocol’s price dropped by 21.61% in 24 hours after the breach, moving from $0.26 to $0.16. At the same time, the market capitalization of the project decreased by 21.60% to $118.27 million.
Source: https://www.cryptonewsz.com/cetus-protocol-drained-of-260-million-in-major-2/