A vulnerability in the smart contract for liquidity pools allowed hackers to steal roughly $223 million in virtual assets from cryptocurrency exchange Cetus Protocol.
The incident occurred on May 22 and led to Cetus immediately pausing its smart contract, but not before the hackers were able to siphon both native SUI tokens and other tokens.
The attackers exploited a vulnerability in an open source library used in the liquidity provider’s smart contract, manipulated pool prices, and proceeded to drain token reserves, repeating the process several times, Cetus explains in a post-mortem report.
“By manipulating the pool’s tick and liquidity mechanisms, the attacker successfully drained a significant portion of assets across multiple iterations of the exploit,” it notes.
The hackers first swapped USDT to USDC, two stablecoins issued by Tether and Circle, respectively, then bridged to the Ethereum blockchain and converted the funds to the native asset, blockchain analytics firm Elliptic says.
Cetus identified two SUI wallet addresses controlled by the attackers, as well as two Ethereum Wallets storing portions of the stolen funds, after they were converted.
The hackers stole approximately $223 million, but Cetus said it managed to freeze $162 million of the assets. This makes the incident the second largest crypto heist of the year, after the $1.5 billion Bybit hack.
“We are working with the Sui Foundation and other ecosystem members right now on next-step solutions, with the goal of recovering the remaining stolen funds,” Cetus said.
The firm offered the hackers a “whitehat settlement”: they can keep $6 million as a bounty, if they return the rest of the stolen Ethereum and SUI assets.
Cetus notes that it has been working with its partners on a recovery plan, aiming to restore liquidity withdrawals and other functionality as soon as possible.
Late Monday, the exchange said it had plans in place that would fully reimburse for the lost assets.
“Using our cash and token treasuries, we are now in a position to fully cover the stolen assets currently off-chain if the locked funds are recovered through the upcoming community vote,” the company posted on X. “ This includes a critical loan from the Sui Foundation, making a 100% recovery for all affected users possible.”
Related: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge
Related: German Authorities Take Down Crypto Swapping Service eXch
Related: North Korean Cryptocurrency Thieves Caught Hijacking Zoom ‘Remote Control’ Feature
Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users
