“Okay, why is actually everyone and their mother speaking about Sui proper now?”
If that’s you – hey, you recognize we received you. Let’s put an finish to the ache of being unaware:
Yesterday, the Sui blockchain skilled the largest DeFi hack of 2025.
A hacker stole $223M from Cetus, the most important DEX aggregator on Sui.
FYI: that is about 94% of what the platform had in whole worth locked (TVL) the day earlier than. So yeah, fairly large deal.
“However… how?”, mentioned you, possibly.
Like I mentioned – don’t fret, we received you.
The attacker exploited a flaw in Cetus’ good contracts – and based on HackenProof CTO Alex Horlan, that is how the entire thing went down:
Step 1. Making a rubbish token look worthwhile
The attacker made their very own token – only a nugatory coin known as BULLA.
Now, on most DEXs, costs are set by what number of cash are sitting in a pool. If there’s a number of BULLA and solely just a little SUI (a legit token), the system assumes BULLA have to be actually worthwhile – as a result of it thinks it takes a number of BULLA to purchase just a bit SUI.
So the hacker dumped tons of BULLA into the pool and added only a little bit of SUI. Now the pool’s worth math was tricked: it thought 1 BULLA was price a number of SUI, when actually, it was rubbish.
Step 2. Establishing a faux liquidity pool
Subsequent, the hacker used BULLA to create a brand new liquidity pool – this time including nearly nothing to it, simply sufficient to set it up.
When somebody begins a brand new liquidity pool, they get LP tokens in return. These LP tokens are like a receipt exhibiting what % of the pool you personal, and later you may commerce them in to get your share of the actual tokens within the pool.
However the system nonetheless thinks the faux token is tremendous costly, so when the attacker provides a tiny little bit of it into the pool, it treats that like an enormous deposit. Because of this, the hacker will get an enormous variety of LP tokens – far more than they really deserve.
Step 3. Money out
Now armed with these LP tokens, the hacker begins eradicating liquidity – exchanging their LP tokens for actual tokens from the pool.
As a result of the system’s math is damaged from the sooner trick, it lets them maintain pulling out actual cash – many times – though they barely put something actual in to start with.
I do know. Loopy stuff.
And the end result was a multitude:
Craaaazy stuff.
Cetus scrambled to reply:
Paused all good contracts to stop extra harm;
Teamed up with the Sui Basis and froze round $162M of the hacker’s funds. Sadly, the hacker had already bridged about $60M over to Ethereum;
Provided a white hat bounty – as much as $6M – if the attacker returns the Ether.
Which seems like a reasonably strong response.
However many individuals went like, “Uhhh… pause. Sui can freeze funds?”
Yeah, if somebody can simply halt transactions, it feels so much like the normal banking system. And for a community that calls itself decentralized, that’s an enormous purple flag.
Alternatively, folks like crypto sleuth Matteo identified that what occurred wasn’t centralized management – it was decentralization in motion.
In line with him, Sui validators from all around the world independently coordinated to cease a recognized malicious pockets. Nobody gave orders, nobody needed to ask permission. They only selected to behave.
That, he mentioned, is what true decentralization appears like – not being powerless, however with the ability to reply collectively as a community.
And it most likely was the appropriate selection. Should you can cease somebody from stealing, why wouldn’t you?
However even when this made sense, it left a crack in the concept Sui was totally decentralized.
So yeah. And that, mates, is why everyone seems to be freaking out about Sui. The ache of unawareness has been launched.
Now you are within the know. However take into consideration your folks – they most likely do not know. I ponder who may repair that… 😃🫵
Unfold the phrase and be the hero you recognize you might be!
