“Okay, why is actually everyone and their mother speaking about Sui proper now?”
If that’s you – hey, you already know we received you. Let’s put an finish to the ache of being unaware:
Yesterday, the Sui blockchain skilled the largest DeFi hack of 2025.
A hacker stole $223M from Cetus, the biggest DEX aggregator on Sui.
FYI: that is about 94% of what the platform had in whole worth locked (TVL) the day earlier than. So yeah, fairly large deal.
“However… how?”, stated you, perhaps.
Like I stated – don’t be concerned, we received you.
The attacker exploited a flaw in Cetus’ sensible contracts – and in line with HackenProof CTO Alex Horlan, that is how the entire thing went down:
Step 1. Making a rubbish token look helpful
The attacker made their very own token – only a nugatory coin known as BULLA.
Now, on most DEXs, costs are set by what number of cash are sitting in a pool. If there’s lots of BULLA and solely a bit of SUI (a legit token), the system assumes BULLA have to be actually helpful – as a result of it thinks it takes lots of BULLA to purchase just a bit SUI.
So the hacker dumped tons of BULLA into the pool and added only a little bit of SUI. Now the pool’s value math was tricked: it thought 1 BULLA was price lots of SUI, when actually, it was rubbish.
Step 2. Establishing a pretend liquidity pool
Subsequent, the hacker used BULLA to create a brand new liquidity pool – this time including virtually nothing to it, simply sufficient to set it up.
When somebody begins a brand new liquidity pool, they get LP tokens in return. These LP tokens are like a receipt displaying what p.c of the pool you personal, and later you may commerce them in to get your share of the true tokens within the pool.
However the system nonetheless thinks the pretend token is tremendous costly, so when the attacker provides a tiny little bit of it into the pool, it treats that like a large deposit. Consequently, the hacker will get an enormous variety of LP tokens – far more than they really deserve.
Step 3. Money out
Now armed with these LP tokens, the hacker begins eradicating liquidity – exchanging their LP tokens for actual tokens from the pool.
As a result of the system’s math is damaged from the sooner trick, it lets them hold pulling out actual cash – many times – though they barely put something actual in to start with.
I do know. Loopy stuff.
And the end result was a multitude:
Craaaazy stuff.
Cetus scrambled to reply:
Paused all sensible contracts to forestall extra injury;
Teamed up with the Sui Basis and froze round $162M of the hacker’s funds. Sadly, the hacker had already bridged about $60M over to Ethereum;
Supplied a white hat bounty – as much as $6M – if the attacker returns the Ether.
Which seems like a fairly stable response.
However many individuals went like, “Uhhh… pause. Sui can freeze funds?”
Yeah, if somebody can simply halt transactions, it feels rather a lot like the normal banking system. And for a community that calls itself decentralized, that’s an enormous purple flag.
Alternatively, folks like crypto sleuth Matteo identified that what occurred wasn’t centralized management – it was decentralization in motion.
In line with him, Sui validators from everywhere in the world independently coordinated to cease a identified malicious pockets. Nobody gave orders, nobody needed to ask permission. They simply selected to behave.
That, he stated, is what true decentralization seems to be like – not being powerless, however with the ability to reply collectively as a community.
And it in all probability was the appropriate selection. When you can cease somebody from stealing, why wouldn’t you?
However even when this made sense, it left a crack in the concept that Sui was totally decentralized.
So yeah. And that, pals, is why everyone seems to be freaking out about Sui. The ache of unawareness has been launched.
Now you are within the know. However take into consideration your mates – they in all probability do not know. I ponder who may repair that… 😃🫵
Unfold the phrase and be the hero you already know you might be!
