• 0xResearch
  • Posts
  • 🤼 Cetus hacked, Sui intervenes

🤼 Cetus hacked, Sui intervenes

Validators’ actions raise decentralization debate

Brought to you by:

Sui’s largest DEX, Cetus, was exploited this week for over $220 million in assets. In response, validators — in coordination with Mysten Labs — froze the attacker’s wallets, reigniting debate about how much power a layer-1 should wield over its users.

— Macauley

Permissionless IV is hitting Brooklyn on June 24-26. Tix are $499 — but refer 5 friends to the 0xResearch newsletter and score a free Permissionless ticket. Scroll down to grab your code.

Is the Believe app a memecoin launchpad or not?

The latest challenger to pump.fun in the last week is Believe, a viral token launchpad. Believe is pump with a marketing twist: The team targets traditional Web2 startup founders to fundraise by launching tokens with a simple tweet.

As seen in the chart above, Believe burst in usage on May 13, amassing about 32% ($724m) market share of daily trading volumes, though it has tapered off to 14% ($88m) today. 

Believe is positioned rather strangely. If you look at its Twitter, the team proudly promotes the various legitimate companies (with recurring revenue streams or active users, see Giggles, Ninja or AfterHour) that have launched tokens. This, along with its anti-VC marketing, strongly insinuates that tokens resemble some kind of equity-like asset — why else would one buy a token unless they have legitimate claims on the underlying value of the company?

Yet, surely no one trading these tokens seriously believes they are anything more than memecoins. And if you look on its website, the team reminds founders that their tokens “must never represent equity” or “promise or imply financial returns.”

Does Believe want to be a memecoin launchpad, or a fundraising platform? I don’t know.

In response to the glut of tokens launched as pure memes, Believe announced yesterday that it would suspend its “launch via Twitter” feature and that it would block “purely extractive” tokens from claiming fees.

— Donovan Choy

Brought to you by:

Build on Algorand with AlgoKit 3.0 — code smart contracts in TypeScript or Python, leverage visual debugging, and deploy with ease.

Enjoy instant finality (under 3 seconds), no forks, and ultra-low, predictable fees (~0.001 ALGO/tx).

Modern tools, seamless onboarding, and reliable infrastructure make development frictionless. Start building with AlgoKit.

Exploit tests Sui’s security, decentralization

Sui’s largest decentralized exchange, Cetus, was exploited on May 22 for over $220 million — the most severe DeFi incident in the network’s short history. It raised difficult questions about validator power, decentralization and reactive governance.

The attacker exploited faulty math in Cetus’ smart contracts by using spoofed tokens and miscalculated liquidity ratios. By injecting near-zero value assets into pools and then withdrawing large amounts of real tokens like SUI and USDC, the exploiter drained about $223 million before the protocol was paused. As Mysten Labs co-founder Adeniyi Abiodun clarified in an X space, “it’s not a bug in Sui consensus, it’s not a bug in Move,” thus isolating the issue to Cetus’ application logic.

But the response drew nearly as much attention as the attack itself. In coordination with the Sui Foundation, validators quickly updated a configuration file in the code powering the network, tailored to reject transactions from the attacker’s wallet. This off-chain coordination didn’t require a vote or protocol-level upgrade, but has resulted in $160m in stolen assets being frozen.

A brief GitHub pull request from Mysten Labs proposed going a step further: adding an “allow list” feature to execute a pre-chosen “recovery” transaction that would bypass signature checks. The PR was withdrawn within hours after community backlash, and validators have so far limited their action to censorship, not confiscation. Blockworks contacted Mysten Labs for details, but has yet to hear back.

Still, the episode has reopened a fundamental debate about decentralization: Should a blockchain’s validators ever freeze or seize funds, even in cases of clear theft?

Critics argue that such ad hoc measures threaten Sui’s credibility as a decentralized base layer. “Taking a heavily opinionated stance to censor due to a third-party app exploit is a slippery slope,” warned Blockworks Advisory’s David Rodriguez. Others pointed out the danger of setting a precedent that could be abused in future incidents — or compelled by regulators.

Without onchain checks or governance processes, any validator coordination hinges entirely on informal consensus and the economic gravity of Sui Foundation signals. After all, validators require a 30 million SUI bond, so strong suggestions from on high might well be the same as “a $114m gun pointing at their heads.”

Move is not a silver bullet

The incident also exposed broader risk beyond Cetus. According to security firm Verichains, three other major Sui protocols — Kriya, FlowX and Turbo Finance — were previously vulnerable to the same math flaw exploited from the latest attack. While Kriya and FlowX patched their contracts, Verichains warned that Turbo Finance still contains the vulnerable code, albeit not actively in use.

“Dead code is not safe code,” Verichains mused.

Verichains’ findings reinforce the idea that while Move-based smart contracts and VM offer stronger technical primitives, in practice, security still depends on shared libraries, developer diligence and tooling maturity.

Looking ahead, several developers and researchers have called for a formal, transparent policy on validator powers and emergency responses.

Aave governance lead Marc Zeller expressed the view that the centralized powers on display would make DeFi protocols wary, writing “[you] can be sure Aave will never deploy on Sui.”

Sui may have preserved some value this time (the hacker still exfiltrated some $60 million), but its long-term reputation will depend on whether it can set clear limits — and build credible neutrality — into the system itself.

Tokenized equities

Source: rwa.xyz

Of the various types of tokenized RWAs (private credit, commodities, T-bills, equities), equities make up the smallest share, at about $15m TVL today. That wasn’t always the case, though, as you can see above. Tokenized stocks (albeit algorithmic synthetic assets) peaked at $4.5b TVL in the last bull market, largely thanks to Mirror on the Terra blockchain and Synthetix.

Kraken announced yesterday a partnership with Backed Finance to launch “xStocks,” a new offering for tokenized equities trading on Solana and on CEXs. Backed’s bCSPX, a tokenized S&P 500 ETF, is both permissionless and regulatory-compliant on the Gnosis Chain.

I asked Backed Finance’s co-founder Adam Levi why anyone would like to use this product. Here’s his response:

“The biggest value proposition of xStocks is onchain access to real, fully collateralized tokens — issued under a fully compliant, regulated framework. xStocks opens up equity markets to users who’ve historically been locked out — whether due to geography, capital controls or lack of brokerage infrastructure. Combined with 24/7 trading, fast settlement and composability with other DeFi services, xStocks offers a truly modern financial product: globally accessible, regulatorily sound and blockchain-native.”

— Donovan Choy