Sui’s Cetus Protocol just got wrecked by hackers who pulled off a $223 million heist using fake tokens and manipulated price oracles. The attackers created spoof tokens like “BULLA,” added minimal liquidity, then exploited flawed smart contract logic to drain massive funds without proper backing. Cetus suspended operations and offered a $6 million bounty for fund recovery. The exploit left $162 million frozen and sent Sui-based memecoins plummeting over 90%. The full breakdown reveals just how creative these attackers got.
While DeFi promised a world of decentralized financial freedom, Sui’s blockchain just got a brutal reality check. Cetus Protocol, the largest decentralized exchange on Sui, imploded spectacularly after attackers walked away with roughly $223 million in tokens. So much for that “trustless” ecosystem.
The attackers didn’t need some elaborate Hollywood heist. They simply introduced fake tokens—including one hilariously named BULLA—into Cetus’s liquidity pools. These spoof tokens manipulated the DEX’s price oracles like a rigged casino game. The attackers added almost zero liquidity using their phantom tokens, which completely distorted how the pools calculated prices and reserves.
The attackers weaponized worthless tokens to fool Cetus’s price oracles, turning the DEX into their personal ATM.
Here’s where things get embarrassing for Cetus. The flawed smart contract logic allowed massive withdrawals of real assets like SUI and USDC without requiring proper backing deposits. The attackers just kept pulling out legitimate tokens while the manipulated pools thought everything was fine. Classic garbage in, garbage out scenario.
The financial carnage speaks for itself. Around $162 million of the stolen funds have been frozen, but that still leaves plenty unaccounted for. The attacker’s wallet is sitting pretty with over 12 million SUI tokens worth about $54 million. On-chain data shows their total holdings exceed 32.9 million SUI—roughly $137 million—suggesting they’re already trying to shuffle the money around.
Cetus Protocol hit the panic button immediately, suspending their smart contracts and launching an investigation with the Sui Foundation. They’ve been posting updates on X, probably hoping to convince everyone this won’t happen again. In a desperate move, they’ve offered a $6 million bounty to the attacker for returning the stolen funds, complete with promises of legal immunity.
The incident exposes glaring weaknesses in Cetus’s oracle mechanisms and liquidity verification systems. Apparently, nobody thought to add proper safeguards against spoof token manipulation.
This disaster doesn’t just hurt Cetus—it nukes confidence in Sui’s entire DeFi ecosystem. Users are learning the hard way that “decentralized” doesn’t automatically mean “secure.” The exploit reveals fundamental gaps in smart contract design and highlights how vulnerable these protocols remain to creative attackers. Meanwhile, Sui-based memecoins crashed over 90% as panic spread across the network.
The Sui blockchain’s reputation just took a $223 million hit, and trust isn’t easily rebuilt in crypto.
