- A math library bug on Cetus DEX enabled an exploit worth over $220 million.
- Sui has committed $10 million for audits and a bug bounty program to bolster ecosystem security.
- Despite multiple audits, the flaw went undetected, reigniting debate over the limits of smart contract auditing.
The Sui blockchain is under fire after a catastrophic exploit drained and froze over $220 million from Cetus, a decentralized exchange (DEX) built on the network. In response, Sui has committed $10 million to security upgrades, including new audits and a bug bounty program aimed at restoring trust in the ecosystem.
In a post on Monday, Sui revealed that the vulnerability stemmed from “a bug in a Cetus math library” — an oversight that somehow slipped past several rounds of auditing. The attacker exploited the bug by configuring a liquidity pool with an “extremely high value,” according to blockchain security firm Dedaub. This allowed them to inject large liquidity positions using just one unit of input, ultimately draining multiple token pools worth hundreds of millions of dollars.
Cetus confirmed that roughly $162 million remains frozen in two Sui wallets. The rest, however, has already been converted into ETH by the attacker. Despite multiple public and private efforts to reach the hacker, no communication has been established so far.
“Cetus has been among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards,” the DEX said in a public statement.
“Unfortunately, reality does not always unfold as we wish. In hindsight, we realize we allowed ourselves to relax our vigilance. This painful lesson has shown us: we must do more.”
Sui’s $10 million commitment will fund a chain-wide bug bounty program and provide subsidized audits for ecosystem projects. The goal is to help teams operating on Sui catch vulnerabilities earlier, especially in shared or widely used open-source libraries.
The situation has renewed broader concerns about the effectiveness of security audits in crypto.
“Security audits are inherently imperfect,” wrote Orlando, CCO at BlockSec. “In 2023, the entire crypto market spent $1 billion on security audits, yet $2 billion in assets were still stolen.”
Security audits are inherently imperfect.
— Orlando | 奥兰多 (@Jack24klove) May 27, 2025
In 2023, the entire crypto market spent $1B on security audits, yet $2B in assets were still stolen (and the hacked projects had all undergone security audits). This year's theft incidents have been even more rampant, from Bybit's…
This isn’t the first security scare on Sui. Earlier this year, another project on the network, the game Cardex (built on Abstract), suffered a $500,000 exploit due to poor contract design.
While permissionless blockchains like Sui aim to democratize development and access to financial tools, they also carry reputational risk when ecosystem apps fall short on security. As the Cetus exploit shows, even well-audited projects can leave billions of dollars exposed.
Edited by Harshajit Sarmah
