This is a segment from the 0xResearch newsletter. To read full editions, subscribe.
Sui’s largest decentralized exchange, Cetus, was exploited on May 22 for over $220 million — the most severe DeFi incident in the network’s short history. It raised difficult questions about validator power, decentralization and reactive governance.
The attacker exploited faulty math in Cetus’ smart contracts by using spoofed tokens and miscalculated liquidity ratios. By injecting near-zero value assets into pools and then withdrawing large amounts of real tokens like SUI and USDC, the exploiter drained about $223 million before the protocol was paused. As Mysten Labs co-founder Adeniyi Abiodun clarified in an X space, “it’s not a bug in Sui consensus, it’s not a bug in Move,” thus isolating the issue to Cetus’ application logic.
But the response drew nearly as much attention as the attack itself. In coordination with the Sui Foundation, validators quickly updated a configuration file in the code powering the network, tailored to reject transactions from the attacker’s wallet. This off-chain coordination didn’t require a vote or protocol-level upgrade, but has resulted in $160 million in stolen assets being frozen.
A brief GitHub pull request from Mysten Labs proposed going a step further: adding an “allow list” feature to execute a pre-chosen “recovery” transaction that would bypass signature checks. The PR was withdrawn within hours after community backlash, and validators have so far limited their action to censorship, not confiscation.
“Sui is a decentralized network, so neither Mysten Labs nor Sui Foundation has the ability to block addresses or transactions, ‘control’ validators, or otherwise dictate the behavior of independent actors on Sui,” a Sui Foundation rep told Blockworks.
Still, the episode has reopened a fundamental debate about decentralization: Should a blockchain’s validators ever freeze or seize funds, even in cases of clear theft?
Critics argue that such ad hoc measures threaten Sui’s credibility as a decentralized base layer. “Taking a heavily opinionated stance to censor due to a third-party app exploit is a slippery slope,” warned Blockworks Advisory’s David Rodriguez. Others pointed out the danger of setting a precedent that could be abused in future incidents — or compelled by regulators.
Without onchain checks or governance processes, any validator coordination hinges entirely on informal consensus and the economic gravity of Sui Foundation signals. After all, validators require a 30 million SUI bond, so strong suggestions from on high might well be the same as “a $114m gun pointing at their heads.”
Move is not a silver bullet
The incident also exposed broader risk beyond Cetus. According to security firm Verichains, three other major Sui protocols — Kriya, FlowX and Turbo Finance — were previously vulnerable to the same math flaw exploited from the latest attack. While Kriya and FlowX patched their contracts, Verichains warned that Turbo Finance still contains the vulnerable code, albeit not actively in use.
“Dead code is not safe code,” Verichains mused.
Verichains’ findings reinforce the idea that while Move-based smart contracts and VM offer stronger technical primitives, in practice, security still depends on shared libraries, developer diligence and tooling maturity.
Looking ahead, several developers and researchers have called for a formal, transparent policy on validator powers and emergency responses.
Aave governance lead Marc Zeller expressed the view that the centralized powers on display would make DeFi protocols wary, writing “[you] can be sure Aave will never deploy on Sui.”
Sui may have preserved some value this time (the hacker still exfiltrated some $60 million), but its long-term reputation will depend on whether it can set clear limits — and build credible neutrality — into the system itself.
Get the news in your inbox. Explore Blockworks newsletters:
