The decentralized exchange Cetus Protocol announced that hackers have stolen $223 million in cryptocurrency and is offering a deal to stop all legal action if the funds are returned.
The project also announced a $5 million bounty to anyone providing relevant information leading to the identification and arrest of the attacker.
Cetus Protocol is a decentralized exchange (DEX) and liquidity protocol operating on the Sui and Aptos blockchains.
It employs a Concentrated Liquidity Market Maker (CLMM) model, allowing liquidity providers to allocate assets within specific price ranges, enhancing capital efficiency and enabling advanced trading strategies.
Cetus Protocol boasts a total trading volume of $57 billion (as of May 2025), with over 15 million accounts executing 144 million trades on the platform.
The incident occurred yesterday, initially prompting Cetus Protocol to pause its smart contract for investigations.
A few hours later, the project confirmed the theft and that “$162M of the compromised funds have been successfully paused.”
.png)
In a later statement, Cetus Protocol announced that the hacker had exploited a vulnerable package but no details have been disclosed.
“We identified the root cause of the exploit and, fixed the related package, and informed ecosystem builders as fast as we could with help from ecosystem members to prevent other teams being affected,” stated Cetus Protocol.
Additionally, the platform noted that it has identified the attacker’s Ethereum wallet address and accounts, and is working with third parties to trace and freeze funds. Law enforcement has also been informed.
Cetus Protocol also offered the hacker “a time-sensitive whitehat settlement,” promising not to pursue legal action if the funds are returned. To put more pressure on the attacker, the project announced a $5 million bounty for information leading to the identification and the arrest of the hacker.
Meanwhile, a significant $162 million was paused on the Sui blockchain following an emergency vote by the validators.
Blockchain analytics company Elliptic published a report based on its visibility of the incident, pointing to a flaw in the automated market maker (AMM) logic, possibly involving pool price manipulation enabling flash loan-style attacks.
The blockchain intelligence firm also offers an overview of the attacker’s fund movement attempts, including swaps from USDT to USDC and cross-chain movement from Suit to Ethereum.
Source: Elliptic
Elliptic is actively tracing the transactions from the initial exploit on Sui to the attacker’s wallets on Ethereum, and the hacker’s address is flagged on all major exchanges and virtual asset service providers, preventing laundering or transfer attempts.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
