A major security breach has impacted the Sui blockchain ecosystem, with attackers siphoning off an estimated $200 million from liquidity pools on Cetus, the network's largest decentralized exchange.
The exploit has led to widespread losses across dozens of tokens on the Sui network, triggering concerns over the security of oracle-based price mechanisms on emerging Layer 1 platforms.
The attack triggered a steep sell-off across many Sui-based tokens. Meme coins including Lofi (LOFI), Sudeng (HIPPO), and Squirtle (SQUIRT) saw near-total value erosion, with losses between 76% and 97% in under an hour. Cetus's own token dropped by 53%. On-chain analytics from DEX Screener show that 46 Sui tokens posted double-digit losses in the 24-hour period following the incident.
Despite this sharp decline in token prices and the apparent vulnerability of key infrastructure, the native SUI token showed resilience, rising 2.2% in the same timeframe, possibly buoyed by dip-buying or broader market momentum.
According to blockchain security firm Cyvers, the attackers executed a sophisticated oracle manipulation strategy. Exploiting flaws in Cetus’s smart contracts, they introduced spoof tokens designed to misrepresent liquidity pool reserves and distort price feeds.
"The exploit relied on spoof tokens that created misleading pricing data within the DEX's automated market maker (AMM) pools," said Deddy Lavid, CEO of Cyvers. "This manipulation allowed attackers to extract legitimate assets like SUI and USDC from multiple liquidity pools."
The incident highlights a well-known risk in decentralized finance (DeFi): the reliance on on-chain oracles to provide pricing data. In this case, the attacker was able to manipulate internal price curves without relying on traditional price feed oracles like Chainlink, suggesting a deeper architectural vulnerability.
Cross-Chain Movement: Laundering the Proceeds
Post-exploit, the attacker began moving the stolen funds. Blockchain data reveals that approximately $61.5 million in USDC was quickly bridged to Ethereum. A further $164 million remains held in a Sui-based wallet. As of publication, no assets have been recovered, and on-chain sleuths continue to monitor the movement of funds.
The conversion of the stolen assets to USDC underscores the ongoing importance of stablecoins in laundering operations. It also reignites longstanding criticism against stablecoin issuers like Circle and Tether for their often sluggish response times in freezing illicitly obtained funds.
Stablecoin Issuers Under Fire
Industry watchdogs, including ZachXBT and Cyvers, have raised concerns over the slow pace of response by USDC issuer Circle. In February, Circle took over five hours to freeze funds linked to the Bybit exploit, a delay that experts believe provided critical escape time for attackers. Tether has faced similar scrutiny over perceived delays in freezing malicious accounts.
"We've issued real-time alerts in numerous hacks, including this one, yet responses from issuers often come too late," said Lavid. "This lag creates exploitable gaps that render post-mortem interventions meaningless."
The growing criticism is driving new conversations around decentralized alternatives to stablecoins and the need for automated freezing mechanisms that could reduce human latency in emergencies.
Protocol Response and Investigation
Cetus moved swiftly to pause its smart contracts after detecting the attack. The protocol publicly acknowledged the "incident" via social media and announced that its internal teams were conducting a forensic investigation.
Internal messages leaked from Cetus’s Discord suggest that the root of the exploit may have been a bug in its oracle logic. However, observers on social media expressed skepticism, noting that vulnerabilities in AMM logic and liquidity pool architecture can often masquerade as oracle issues.
"This wasn’t a price oracle bug in the traditional sense," said one DeFi developer who requested anonymity. "It’s a systemic issue with how some DEXs calculate internal token prices in thinly traded pools."
Implications for Sui’s Broader Ecosystem
Sui, a Layer 1 blockchain developed by ex-Meta engineers, has positioned itself as a high-performance alternative to Ethereum. It launched with significant fanfare and has gained traction among developers for its Move programming language and parallel transaction execution model.
However, this exploit now raises questions about the maturity of its DeFi stack. While Sui’s base protocol was not compromised, the attack underscores how vulnerabilities in critical applications like DEXs can pose systemic risks to newer chains.
The fact that token prices fell so sharply also suggests limited liquidity and high retail exposure, hallmarks of immature ecosystems. Recovery could depend on how quickly Cetus and other ecosystem participants can restore confidence and liquidity.
Community and Industry Reaction
Former Binance CEO Changpeng Zhao (CZ) acknowledged the exploit on social media, saying that his team was "doing what they can to help Sui." Though the comment lacked detail, it suggests Binance may be assisting with monitoring or recovery efforts.
Broader industry reaction has focused on the dangers of unchecked growth in DeFi protocols without corresponding investment in security. Analysts note that the rush to attract liquidity and user volume often leads to deployment of unaudited or lightly audited smart contracts.
"This isn’t unique to Sui or Cetus," said one industry executive. "It's a recurring pattern across every Layer 1 and DeFi wave - innovation moves faster than security, and users pay the price."
Regulatory and Long-Term Consequences
The exploit is likely to reignite regulatory scrutiny around cross-chain bridges, DeFi protocols, and stablecoin operations. As regulatory bodies globally continue drafting new frameworks for crypto, high-profile incidents such as this one provide justification for tighter oversight.
It also revives questions about insurance and user protections in DeFi. With no clear recourse for users impacted by the exploit, pressure may mount on protocols to adopt on-chain insurance mechanisms or contribute to decentralized recovery funds.
Some analysts argue that such incidents could accelerate the shift toward appchains and more vertically integrated DeFi ecosystems, where security and oracle infrastructure is more tightly controlled.
A Familiar Pattern in DeFi
Oracle manipulation remains one of the most persistent attack vectors in DeFi. Similar exploits have been used to drain millions from protocols on Ethereum, BNB Chain, Avalanche, and Solana. The method varies, but the principle remains the same: manipulate price discovery mechanisms to extract value.
This exploit underscores the need for more robust oracle systems, including hybrid models that incorporate both on-chain and off-chain data, rate-limiting mechanisms to prevent manipulation, and broader adoption of circuit breakers that can pause operations when price anomalies are detected.
FInal thoughts
For Sui, the coming weeks will be critical. How Cetus and other major ecosystem players respond will likely determine whether developer and user confidence can be rebuilt. If liquidity remains low and major projects pause development, the chain risks losing momentum just as competition intensifies from other Layer 1s.
Meanwhile, the broader DeFi community is again reminded that permissionless systems demand not only innovation but also discipline - especially when it comes to smart contract design, oracle security, and incident response coordination.
The Sui attack may not be the last oracle-related exploit of 2025. But if the industry is serious about scaling securely, it must stop treating security as an afterthought and start embedding it as a core design principle from the beginning.