Blockchain security firm Dedaub has released an in-depth post-mortem report detailing the vulnerabilities that led to the recent attack on the Cetus decentralized exchange. The investigation traced the breach to a flaw in the platform’s automated market maker (AMM) code, specifically related to liquidity parameter validation. According to the security team, a failure in the mechanism checking the most significant bits (MSB) of liquidity values allowed attackers to bypass safeguards and manipulate token inputs on a massive scale.
The incident involved the malicious actors inflating the input values used in liquidity calculations, enabling them to contribute disproportionate liquidity with minimal token input. This maneuver allowed them to drain several liquidity pools that collectively held assets valued in the hundreds of millions of dollars. Dedaub’s researchers emphasized that the faulty MSB check was at the core of the exploit, describing how attackers were able to open unusually large positions with insignificant amounts of capital, thereby gaining access to vast reserves of tokens.
The attack occurred on May 22 and resulted in approximately $223 million in losses within just 24 hours. The scale of the breach has made it one of the most notable security events in recent decentralized finance (DeFi) history. In response, both Cetus and the Sui Foundation acted quickly, announcing that validators on the Sui network had managed to freeze a significant portion of the stolen assets.
According to an update from the Cetus team, approximately $163 million of the compromised funds were frozen on the same day the hack took place. This rapid intervention was facilitated by coordination with Sui ecosystem partners and blockchain validators.
However, the decision to freeze the stolen funds triggered intense debate within the crypto community. While some praised the swift action as a necessary move to protect users, others questioned the implications such intervention had on the core principles of blockchain decentralization. Critics argued that by halting transactions and seizing control of funds, the validators had effectively undermined the decentralized nature of the network.
Voices across social media platforms pointed out that censoring on-chain transactions bore resemblance to the operations of centralized systems, raising concerns about the increasing reliance on governance mechanisms that prioritize control over trustless execution. Observers noted that many Web3 projects, despite drawing ideological inspiration from Bitcoin’s decentralized ethos, continue to lean toward centralized practices when facing crises.
The Cetus breach is the latest in a growing list of security incidents plaguing the crypto and Web3 sectors. Industry leaders have repeatedly cautioned that unless robust security measures are proactively established by firms themselves, regulatory bodies may be compelled to enforce external controls.
As the dust settles on the Cetus attack, the incident has become a flashpoint for broader discussions about smart contract security, validator governance, and the balance between decentralization and user protection. The fallout not only underscores the technical challenges of DeFi architecture but also reopens the debate about how blockchain networks should handle emergencies without compromising their foundational principles.