Cetus Protocol, a decentralized exchange based on the Sui blockchain, was the victim of a cyberattack. During the intrusion, the attackers made off with $223 million in cryptocurrency. In response, Cetus decided to suspend its smart contract, the program that automatically manages transactions on the protocol. This blockage prevents "any further theft of funds."
Apparently, the attack relied on the smart contract to steal funds from the protocol. According to the Cetus team, "the root cause of the exploit" has been identified. It is a "package", i.e., a faulty piece of hardware. The developers aren't saying anything more, but they say the issue has been fixed.
According to researchers at Elliptic, the attacker exploited a flaw in the algorithms programmed to set asset prices for a reserve of cryptocurrencies locked in a smart contract. By exploiting the flaw, the attacker was able to obtain a flash loan without having to directly repay the cryptocurrencies. In short, the hacker used fake, worthless tokens to fool the algorithms.Thanks to this, he was able to borrow real cryptocurrencies without the smart contract having any problem with it. He then took off with the funds, without having repaid his loan automatically, as is normally the case with a flash loan. The funds were converted into stablecoins, such as USDC, before being exchanged for Ether.
Blocking of funds, bounty, and negotiations
At the same time, the exchange did everything possible to block and recover all the cryptocurrencies stolen by the hackers. Cetus explains that it "called on professional organizations fighting cybercrime" and was "in contact with law enforcement". The protocol was thus able to identify the attacker's address and all of his Ethereum accounts. More than $160 million in stolen cryptocurrencies were frozen on the Sui blockchain. The validators, responsible for validating transactions on the network, urgently voted to paralyze digital assets.
Cetus is offering a $5 million bounty for anyone with information leading to the identification and arrest of the cybercriminal. Furthermore, the team has made a point of proposing an out-of-court settlement to the hacker. If the hacker returns all the stolen cryptocurrencies, Cetus will not take legal action against him. If "the hacker cooperates and accepts our offer as we hope, we will refrain from any legal action or recourse." It is not uncommon for decentralized finance developers to prefer negotiating with a hacker rather than playing cat and mouse across blockchains.
On the Ethereum blockchain, Cetus posted a message assuring that "major exchanges" and blockchain bridge managers have been notified and are being mobilized to freeze the assets. "As you know, all funds mined on the Sui network, currently held in your wallets, have been frozen," the Cetus team said, eager to put pressure on the hacker.
$6 million in the hacker's pockets?
If he cooperates and returns the money, the attacker will be able to keep approximately $6 million in cryptocurrency. For the moment, the hacker has not yet responded to Cetus's offer. Whatever happens, the hack has profoundly shaken Cetus and the Sui ecosystem, whose tokens plummeted following the announcement of a hack.
0 Comments