Home / Education / Crypto / Security / Cetus Protocol $220M+ Exploit Explained: Token Spoofing & Overflow Attack on Sui
Security
8 min read
easy

Cetus Protocol $220M+ Exploit Explained: Token Spoofing & Overflow Attack on Sui

Published
Dr. Lorena Nessi
Published

Key Takeaways

  • Cetus lost over $220 million after an attacker exploited a flaw in a smart contract math library.
  • The attacker used spoof tokens and overflow bugs to trick the system into giving away real assets.
  • Cetus responded quickly by freezing stolen tokens, offering a white-hat bounty, and launching a compensation plan.
  • Security experts blamed weak overflow checks and called for stricter token validation rules in DeFi protocols.

The Cetus attack is one of the latest decentralized finance (DeFi) exploits that exposed a deep flaw in smart contract logic. 

The attacker used fake tokens and a broken math function to drain over $220 million. 

This article explains what happened, how the bug worked, who was affected, how Cetus will fix it and how it impacts the landscape.

What Is Cetus and How It Works on SUI

Cetus is a decentralized exchange (DEX) and liquidity protocol that operates on the Sui and Aptos blockchains. It supports DeFi through concentrated liquidity. 

Liquidity providers choose custom price ranges for their funds instead of spreading them across all prices. 

The platform offers permissionless trading, low fees and latency, high speed and a user-friendly interface. This setup gives traders better prices and helps providers use their funds more effectively.

Cetus runs smart contracts on the Sui blockchain using the Move programming language. Developers use these contracts to set clear rules for trading and liquidity. 

Liquidity providers choose how to set up their pools by deciding the price range where their funds stay active, giving them more control over how their money works.

The Sui network treats each action, like a trade or an update, as a separate item. This design speeds up processing and makes tracking easier. 

With this structure, Cetus gives users real-time price updates, smaller price swings during trades, and fast transaction finality, which means trades are confirmed almost instantly and cannot be changed. Traders and liquidity providers can use these features to manage their activity efficiently.

What Is a Token Spoofing Attack?

A token spoofing attack is a cybersecurity threat in which a malicious actor manipulates, impersonates, or creates a token to deceive users or systems into believing it is legitimate. 

In blockchain environments, this attack targets on-chain assets, such as fungible tokens or NFTs, by mimicking the properties of real tokens, including their name, symbol, and metadata.

This form of spoofing exploits users’ trust in token standards and blockchain explorers. 

While Ethereum-based networks use standards like ERC-20 (fungible tokens) or ERC-721 (NFTs), blockchains like Sui use their own models based on the Move language, where tokens are represented as Move objects. 

For example, an attacker on Sui might create a token that visually resembles a well-known asset like “SUI” or “USDC” traded on Cetus, using similar metadata to trick users into interacting with the fake token.

In this context, token spoofing differs from authentication or API token spoofing, which occurs in Web2 and Web3 applications and typically involves session hijacking or unauthorized access through fake access tokens.

Additionally, token spoofing creates a serious risk because it skips past strong security tools like multi-factor authentication (MFA). 

The attacker does not need to steal or guess a password. Instead, they use a fake token to act like someone who has already passed all the checks. This lets them enter systems as if they were trusted users.

The Cetus exploit involved token spoofing as a component, where fake tokens were created to deceive the protocol into thinking valid liquidity was being provided. This was then compounded by a critical arithmetic overflow bug, which led to massive, unintended withdrawals.

What Happened in Cetus $220M+ Exploit

The $220 million exploit targeting Cetus Protocol occurred on May 22, 2025, and is one of the most significant DeFi hacks of the year. 

The exploit used a critical arithmetic overflow bug in a shared math library for liquidity pool calculations on the Sui blockchain.

Below is a detailed explanation of what happened, based on available information:

The attacker manipulated a pool parameter using an extremely large value, tricking the protocol into miscalculating pool balances. 

Typically, the protocol calculates how much liquidity someone has added using the formula token amount × pool multiplier or rate.

Formula for Liquidity Calculation
Formula for Liquidity Calculation

This formula is typical in automated market makers (AMMs) like Cetus, which uses a concentrated liquidity model similar to Uniswap V3.

By using spoof tokens (like BULLA and MOJO), the attacker was able to deposit as little as 1 token unit. 

However, due to an overflow bug in the math library, the result wasn’t just large—it became broken but falsely valid, making it appear that the attacker had added a massive liquidity position.

Attack’s procedure | Source: Cetus Protocol Report
Attack’s procedure | Source: Cetus Protocol Report

Because the protocol believed the attacker had contributed millions in liquidity, it allowed them to:

  • Withdraw real tokens in proportion to the spoofed liquidity share.
  • Drain legitimate assets while contributing almost nothing of real value.

Cetus’ Response to the Attack 

Within an hour, Cetus paused smart contracts and froze $162 million in stolen assets. 

They offered the attacker a $6 million white-hat bounty, a reward to encourage ethical return of funds, and worked with law enforcement and Inca Digital on the investigation.

They also reassured the community with constant updates, Q&A sessions, public spaces on X, and social media reports.

On May 27, 2025, Cetus announced a full compensation plan for affected users, using its treasury and a loan from the Sui Foundation. 

The team asked for community support in an upcoming vote to unlock frozen funds and promised recovery would begin immediately, regardless of the outcome.

An X user urged the team to “return Cetus tokens to their original point before the incident” to restore investor confidence. 

The comment reflects a broader sentiment across the community, which has demanded swift action and transparency.

Breakdown of Stolen Assets on Cetus

The attacker drained more than $223 million from Cetus Protocol by exploiting a math library vulnerability. The stolen assets included both major tokens and lesser-known ones across various liquidity pools. 

Below is a breakdown of the affected tokens and the estimated losses:

  • SUI: $52 million
  • USDC (wrapped USDt): $19.5 million
  • Haedal Staked SUI (HASUI): $4.9 million
  • Toilet (TOILET): $19.5 million
  • Other Tokens: Including Lombard Staked BTC (LBTC), AXOLcoin (AXOL), HIPPO, LOFI, SQUIRT, BLUB, SLOVE, Uni, MEMEFI, and SUIMON.

Why Was Cetus Vulnerable?

According to the Cetus Protocol, the exploit came from a flaw in a math function called in the library used by its core contracts. 

This function was supposed to prevent overflows when calculating liquidity values, but the check was implemented incorrectly. As a result, the system failed to block dangerous inputs.

The attacker used this flaw to trick the protocol into accepting fake liquidity deposits. By doing so, they paid almost nothing and withdrew real assets at full value.

Cetus clarified that the exploit had nothing to do with an earlier audit report that flagged a different overflow issue.

Conclusion

The Cetus exploit shows how one weak function can break an entire system. A mix of spoof tokens and poor math checks allowed a massive theft. 

Cetus acted fast to freeze funds and support users. 

But the case reminds all DeFi builders that even minor errors can lead to massive losses.

FAQs

Has Cetus recovered from the attack?

Cetus froze part of the tokens, paused trading, initiated an audit, and is working with the Sui Foundation to secure the network.

Could users have avoided the exploit?

No, Cetus’s users could not have avoided the attack. This was a smart contract-level vulnerability caused by a flawed math function in a library used by Cetus. Users who interacted with the protocol had no way of knowing that the liquidity calculations were broken. The bug was deep in the codebase, not visible through a wallet interface or blockchain explorer.

How were Cetus users affected by the attack?

Users were affected because the attacker drained real tokens from the liquidity pools on Cetus, such as SUI, USDC, and others. Users deposit funds into these pools. 

When the exploit happened, users who provided liquidity lost access to their funds, partially or entirely. In some cases, token values dropped sharply due to the imbalance caused by the attacker withdrawing large amounts.

Will Cetus change its smart contract system after this incident?

Yes. Cetus announced it will update the math library, improve overflow protection, and work with external auditors to review all major contract modules. These changes aim to stop similar bugs from returning.

Was this Article helpful? Yes No
Dr. Lorena Nessi is an award-winning journalist and media technology expert with 15 years of experience in digital culture and communication. Based in Oxfordshire, UK, she combines academic insight with hands-on media practice. She holds a PhD in Communication, Sociology, and Digital Cultures, and an MA in Globalization, Identity, and Technology. Lorena has taught at Fairleigh Dickinson University, Nottingham Trent University, and the University of Oxford. She is a former producer for the BBC in London, with additional experience creating television content in Mexico and Japan. Her research focuses on digital cultures, social media, technology, capitalism, and the societal impact of blockchain innovation. She has written extensively on digital media and emerging technologies, with her work featured in both academic and media platforms. Her Web3 expertise explores how blockchain technologies shape culture, economics, and decentralized systems. Outside of work, Lorena enjoys reading science fiction, playing strategic board games, traveling, and chasing adventures that get her heart racing. A perfect day ends with a relaxing spa and a good family meal.
See more