- 0xResearch
- Posts
- 𤟠Cetus hacked, Sui intervenes
𤟠Cetus hacked, Sui intervenes
Validatorsâ actions raise decentralization debate

Brought to you by:
Suiâs largest DEX, Cetus, was exploited this week for over $220 million in assets. In response, validators â in coordination with Mysten Labs â froze the attackerâs wallets, reigniting debate about how much power a layer-1 should wield over its users.
â Macauley
Permissionless IV is hitting Brooklyn on June 24-26. Tix are $499 â but refer 5 friends to the 0xResearch newsletter and score a free Permissionless ticket. Scroll down to grab your code.

Is the Believe app a memecoin launchpad or not?
Source: Blockworks Research
The latest challenger to pump.fun in the last week is Believe, a viral token launchpad. Believe is pump with a marketing twist: The team targets traditional Web2 startup founders to fundraise by launching tokens with a simple tweet.
As seen in the chart above, Believe burst in usage on May 13, amassing about 32% ($724m) market share of daily trading volumes, though it has tapered off to 14% ($88m) today.
Believe is positioned rather strangely. If you look at its Twitter, the team proudly promotes the various legitimate companies (with recurring revenue streams or active users, see Giggles, Ninja or AfterHour) that have launched tokens. This, along with its anti-VC marketing, strongly insinuates that tokens resemble some kind of equity-like asset â why else would one buy a token unless they have legitimate claims on the underlying value of the company?
Yet, surely no one trading these tokens seriously believes they are anything more than memecoins. And if you look on its website, the team reminds founders that their tokens âmust never represent equityâ or âpromise or imply financial returns.â
Does Believe want to be a memecoin launchpad, or a fundraising platform? I donât know.
In response to the glut of tokens launched as pure memes, Believe announced yesterday that it would suspend its âlaunch via Twitterâ feature and that it would block âpurely extractiveâ tokens from claiming fees.
â Donovan Choy
Brought to you by:
Build on Algorand with AlgoKit 3.0 â code smart contracts in TypeScript or Python, leverage visual debugging, and deploy with ease.
Enjoy instant finality (under 3 seconds), no forks, and ultra-low, predictable fees (~0.001 ALGO/tx).
Modern tools, seamless onboarding, and reliable infrastructure make development frictionless. Start building with AlgoKit.
Exploit tests Suiâs security, decentralization
Suiâs largest decentralized exchange, Cetus, was exploited on May 22 for over $220 million â the most severe DeFi incident in the networkâs short history. It raised difficult questions about validator power, decentralization and reactive governance.
The attacker exploited faulty math in Cetusâ smart contracts by using spoofed tokens and miscalculated liquidity ratios. By injecting near-zero value assets into pools and then withdrawing large amounts of real tokens like SUI and USDC, the exploiter drained about $223 million before the protocol was paused. As Mysten Labs co-founder Adeniyi Abiodun clarified in an X space, âitâs not a bug in Sui consensus, itâs not a bug in Move,â thus isolating the issue to Cetusâ application logic.
But the response drew nearly as much attention as the attack itself. In coordination with the Sui Foundation, validators quickly updated a configuration file in the code powering the network, tailored to reject transactions from the attackerâs wallet. This off-chain coordination didnât require a vote or protocol-level upgrade, but has resulted in $160m in stolen assets being frozen.
A brief GitHub pull request from Mysten Labs proposed going a step further: adding an âallow listâ feature to execute a pre-chosen ârecoveryâ transaction that would bypass signature checks. The PR was withdrawn within hours after community backlash, and validators have so far limited their action to censorship, not confiscation. Blockworks contacted Mysten Labs for details, but has yet to hear back.
Still, the episode has reopened a fundamental debate about decentralization: Should a blockchainâs validators ever freeze or seize funds, even in cases of clear theft?
Critics argue that such ad hoc measures threaten Suiâs credibility as a decentralized base layer. âTaking a heavily opinionated stance to censor due to a third-party app exploit is a slippery slope,â warned Blockworks Advisoryâs David Rodriguez. Others pointed out the danger of setting a precedent that could be abused in future incidents â or compelled by regulators.
Without onchain checks or governance processes, any validator coordination hinges entirely on informal consensus and the economic gravity of Sui Foundation signals. After all, validators require a 30 million SUI bond, so strong suggestions from on high might well be the same as âa $114m gun pointing at their heads.â
Move is not a silver bullet
The incident also exposed broader risk beyond Cetus. According to security firm Verichains, three other major Sui protocols â Kriya, FlowX and Turbo Finance â were previously vulnerable to the same math flaw exploited from the latest attack. While Kriya and FlowX patched their contracts, Verichains warned that Turbo Finance still contains the vulnerable code, albeit not actively in use.
âDead code is not safe code,â Verichains mused.
Verichainsâ findings reinforce the idea that while Move-based smart contracts and VM offer stronger technical primitives, in practice, security still depends on shared libraries, developer diligence and tooling maturity.
Looking ahead, several developers and researchers have called for a formal, transparent policy on validator powers and emergency responses.
Aave governance lead Marc Zeller expressed the view that the centralized powers on display would make DeFi protocols wary, writing â[you] can be sure Aave will never deploy on Sui.â
Sui may have preserved some value this time (the hacker still exfiltrated some $60 million), but its long-term reputation will depend on whether it can set clear limits â and build credible neutrality â into the system itself.

Tokenized equities
Source: rwa.xyz
Of the various types of tokenized RWAs (private credit, commodities, T-bills, equities), equities make up the smallest share, at about $15m TVL today. That wasnât always the case, though, as you can see above. Tokenized stocks (albeit algorithmic synthetic assets) peaked at $4.5b TVL in the last bull market, largely thanks to Mirror on the Terra blockchain and Synthetix.
Kraken announced yesterday a partnership with Backed Finance to launch âxStocks,â a new offering for tokenized equities trading on Solana and on CEXs. Backedâs bCSPX, a tokenized S&P 500 ETF, is both permissionless and regulatory-compliant on the Gnosis Chain.
I asked Backed Financeâs co-founder Adam Levi why anyone would like to use this product. Hereâs his response:
âThe biggest value proposition of xStocks is onchain access to real, fully collateralized tokens â issued under a fully compliant, regulated framework. xStocks opens up equity markets to users whoâve historically been locked out â whether due to geography, capital controls or lack of brokerage infrastructure. Combined with 24/7 trading, fast settlement and composability with other DeFi services, xStocks offers a truly modern financial product: globally accessible, regulatorily sound and blockchain-native.â
â Donovan Choy

|
|