On May 22, 2025, the Sui blockchain experienced a significant security breach when its largest decentralized exchange (DEX), Cetus Protocol, was exploited, resulting in the loss of over $220 million in digital assets.
The attackers manipulated Cetus's oracle pricing mechanism by introducing spoofed tokens named BULLA and MOJO. This manipulation allowed them to exploit flawed reserve calculations and price curves, effectively draining liquidity pools across the platform.

Too Big to Fail

Cetus Protocol is a decentralized exchange built on the Sui and Aptos blockchains. It leverages a Concentrated Liquidity Market Maker (CLMM) model, allowing liquidity providers to allocate capital within specific price ranges. This design improves capital efficiency and enables more precise trading strategies.

Within the Sui ecosystem, Cetus served as the largest and most active DEX, facilitating a substantial share of all DeFi transactions. It supported hundreds of token pairs and acted as the primary liquidity venue for both native and third-party projects. As a result, a significant portion of Sui’s Total Value Locked (TVL)—over $200 million before the exploit—was concentrated within Cetus.

This dominance made Cetus a critical piece of infrastructure for the Sui network. Its liquidity pools and price references directly influenced market dynamics across the ecosystem. Because it was so deeply integrated into Sui's financial infrastructure, the exploit had widespread effects. The native CETUS token plummeted by around 40%, while other Sui-based tokens like LOFI and HIPPO saw losses exceeding 50%. The TVL in Cetus dropped from over $200 million to about $75 million. Meanwhile, the SUI token fell by 4.2% to $1.13 before rebounding by 15% within hours, indicating a swift but volatile market response.

Spoof Token Attacks

Spoof token attacks exploit the trust that DeFi protocols place in on-chain token data. In such exploits, attackers create fake or malicious tokens that mimic real ones or contain deceptive smart contract logic. These tokens are added to liquidity pools and used to manipulate internal pricing mechanisms or oracle feeds. By artificially inflating the spoof token’s perceived value—through fake trades or liquidity injections—the attacker tricks the protocol into enabling swaps or loans at inflated prices, draining real assets.

In the Cetus case, BULLA and MOJO tokens were inserted into liquidity pools and used to distort Cetus’s internal pricing oracle. The oracle failed to identify these spoofed assets as malicious, which allowed attackers to exploit the platform.

Stricter controls like token whitelisting and verified liquidity pools could have prevented this. However, such measures come with trade-offs: they reduce the permissionless and open nature of DeFi by introducing centralized gatekeeping. Similarly, using external oracles like Chainlink for all tokens would limit support to only pre-approved assets, thereby centralizing control and potentially excluding early-stage or experimental projects.

Recovery and Centralization Concerns

Similar centralization risks emerged during the recovery efforts. In response to the exploit, Sui network validators froze approximately $160 million of the stolen funds. The Cetus team, in collaboration with the Sui Foundation, is actively working to recover and return these assets to affected users. While well-intentioned, this intervention has raised concerns about decentralization—particularly the fact that validators were able to freeze assets at all.

If a group of validators can coordinate to freeze funds, it raises the question: why not simply use cost-effective centralized servers?

This kind of response to attacks is not unique. Other protocols have demonstrated similar centralization risks:

  • Solana has experienced multiple network outages in which validators paused and restarted the network through off-chain coordination—often via Discord. These actions, while effective, highlight that Solana’s validator set can act quickly, but also centrally, prompting criticism over the network’s actual level of decentralization.
  • In October 2022, Binance Smart Chain (BSC) paused its network in response to a $570 million bridge exploit. The 21 validators coordinated to halt activity and limit further losses—effectively proving that a small group could shut down a so-called decentralized blockchain.
  • Layer 2 blockchains frequently stop their sequencers when decentralized applications (dApps) lose significant funds. Notable examples include the Linea and Scroll incidents, where operations were halted after losses of $6–7 million.
  • The most iconic case remains the Ethereum DAO hack of 2016. In its aftermath, the Ethereum community voted to roll back the chain, undoing the exploit and resulting in a split between Ethereum and Ethereum Classic. This decision prioritized user protection but sacrificed immutability, showing that even leading protocols may choose governance intervention over decentralization when the stakes are high.

The Sui blockchain has suffered not only financial damage but also a reputational blow. Given its promising start and positioning in the broader DLT space, this is a setback for the industry as a whole. Blockchain technology champions decentralization and immutability, but incidents like these suggest that unless protocols achieve significant scale and resilience, true decentralization remains an ideal rather than a reality.

Share this article
The link has been copied!