Cetus Protocol, a major DeFi platform on the SUI blockchain, has been hit by one of the largest crypto hacks of 2025. On May 22, attackers exploited a smart contract vulnerability to steal around $223 million in digital assets.
The problem began in an open-source library used by Cetus. Hackers manipulated the pool pricing and liquidity mechanisms. This let them drain funds multiple times before the team could stop it. By the time Cetus paused the smart contract, the damage was done.
According to Cetus, the exploit involved changing the pool’s “tick” and liquidity settings. This gave the attackers full control over price calculations. Using that control, they drained token reserves in several waves.
Once they had the tokens, the hackers acted fast. They swapped USDT for USDC, then bridged the funds to the Ethereum blockchain. There, they converted them into ETH. Blockchain analysis firm Elliptic confirmed these steps.
Cetus traced the stolen assets to two wallet addresses on the SUI blockchain and two on Ethereum. Fortunately, the team froze about $162 million of the stolen funds before they could be moved further.
Still, a large amount remains missing.
In response, Cetus has offered the hackers a deal. If they return most of the funds, they can keep $6 million as a whitehat bounty. It’s a last-ditch effort to recover the remaining assets.
The protocol is now working with the Sui Foundation and other partners. Together, they’re building a plan to recover the rest and support affected users.
There’s some good news too. Cetus announced it will fully reimburse users—even before all stolen funds are recovered. It plans to use its own treasury along with a loan from the Sui Foundation.
“We now have the resources to cover everything,” Cetus posted on X. “If our recovery plan is approved, we’ll make every user whole.”
The crypto community is watching closely. This hack is second only to the Bybit breach earlier this year. It’s a clear warning for DeFi projects: even small flaws in smart contracts can lead to huge losses.
For now, Cetus is focused on fixing the damage. But the bigger question remains—can DeFi truly be safe without stronger checks on the code that powers it?
