On May 22, 2026, Cetus Protocol — the largest decentralized exchange on the Sui blockchain — was drained of $223 million through a flaw so small it fits in a single function: an integer overflow check in the protocol's liquidity math that accepted a number it should have rejected.

The attacker exploited a bug in checked_shlw, a helper in the open-source inter_mate library that Cetus uses for its concentrated liquidity math. The function is designed to detect whether a 256-bit integer will overflow when shifted left by 64 bits. It does this by comparing the input against a threshold constant — but the threshold in the code is wrong. When the attacker passed a specially chosen value, the check passed and the shift executed, producing a truncated intermediate that massively understated how many tokens were required to claim a large liquidity position.

In practice, it let them deposit near-zero assets and receive credit for an enormous share of a pool's liquidity — which they immediately withdrew. The sequence was atomic: flash-borrow collateral, open a narrow tick range, exploit the overflow to register a disproportionately large position, remove it, repay the flash loan, and keep the profit. The same sequence repeated across dozens of Cetus pools. Auditing firm Cyfrin, which published a full post-mortem, confirmed the root cause: "The calculation of 'tokens required to add liquidity' could be driven out of line with the liquidity credit that the pool later honored on withdrawal."

Liquidity vanished so fast that USDC on Sui depegged to zero. Ecosystem tokens Lofi and Hippo fell 76% and 81% respectively within minutes, per DL News. Sui's chain-wide DeFi total value locked fell from $593.8 million on May 22 to $579.9 million on May 23, a drop of roughly $14 million — though the TVL impact understates the actual damage because the funds stolen left the chain entirely. Cetus paused its smart contracts to stop further losses.

The freeze

Validators responded within hours. Rather than process transactions from the attacker's wallet, a large coordinating group of Sui validators simply stopped including them — a consensus-based censorship that effectively froze the funds in place. Sui Foundation confirmed the action on X on May 22: "A large number of validators identified the addresses with the stolen funds and are ignoring transactions on those addresses until further notice."

Approximately $162 million was frozen before it could move. The attacker had already bridged roughly $63 million in USDC to Ethereum in the hours after the exploit, putting it beyond the validators' reach.

A governance vote followed. Validators representing 90.9% of Sui's staked supply approved an on-chain proposal to transfer the frozen funds to a multisig trust wallet jointly managed by Cetus, the Sui Foundation, and security firm OtterSec. The vote, originally scheduled for a week, closed in two days due to the overwhelming support. Cetus confirmed on X that the transfers executed, publishing transaction IDs for both moves.

The plan: return the $162 million to affected liquidity providers once the protocol restarts, funded in part by a loan from the Sui Foundation and Cetus's own treasury. The remaining ~$61 million — the portion bridged to Ethereum — is not recovered.

The controversy

The freeze drew immediate criticism from parts of the blockchain community. The Defiant drew an explicit parallel to the 2016 DAO hack on Ethereum, where a similar decision to reverse a theft caused a schism that produced Ethereum Classic — a chain founded on the principle that code-is-law, and no governing body should override it, regardless of how the funds were obtained.

Critics raised the same point about Sui: if validators can freeze a wallet because the network governance apparatus decides the holder is a criminal, the chain is not meaningfully different from a bank account. The validators' power to censor transactions is, from that perspective, identical to the power any regulated financial institution exercises.

The Sui Foundation did not publicly retreat from the decision. It framed the validator action as the network's governance working as intended — a community protecting its users from theft — and pointed to the breadth of the vote (more than 90% of stake) as evidence of legitimacy.

The episode joins a pattern of large DeFi exploits in 2026 that keeps circling the same structural failure modes. The $285 million Drift Protocol hack in April and the $292 million KelpDAO incident the same month both traced to privileged role or admin key failures. The Cetus exploit is different in kind — a pure logic bug in shared math code — but the scale is now routine.

Sources: Cyfrin post-mortem (cyfrin.io); Halborn exploit analysis (halborn.com); Dedaub technical analysis (dedaub.com); DL News (dlnews.com); crypto.news; Coinspeaker via Binance Square (Cetus X post on multisig transfer); The Defiant; CryptoNinjas; Sui TVL from DefiLlama as of 2026-05-24.