SUI’s Dilemma: Decentralization or Security?

Foreword

Cryptocurrency is supposed to be free from centralized control—money that no one can freeze or control.

Last week, Sui’s Cetus protocol suffered a $223 million attack, and the team urgently froze $162 million in funds, but it also sparked a fierce debate: If the blockchain can suspend your funds, is cryptocurrency really as unstoppable as it claims?

Here’s the story of crypto’s latest “decentralization” farce:

• How fake tokens evaporated $223 million in ten minutes

• The controversial fund freeze that saved users but sparked outrage

• Why this team’s second major hack feels familiar

• Sui’s $10 million security overhaul (and why it might not be enough)

The ten-minute debacle

The morning of May 22 seemed like just another day for Sui, until something changed. Then, all hell broke loose.

Cetus Protocol, Sui’s largest decentralized exchange with a daily trading volume of over $200 million, lost $223 million in a few minutes. The attack was incredibly efficient.

The disaster broke out in an instant:

• The main meme coins LOFI, HIPPO and SQUIRT on the SUI chain plummeted by more than 75% in one hour.

• Cetus Protocol’s native token $CETUS has fallen by 53% in the past four days.

Source: TradingView

The attack? Simple but deadly.

The hackers deployed fake tokens (essentially digital Monopoly game currency) to Cetus and exploited a vulnerability in Cetus' smart contract to trick the protocol into thinking these worthless tokens had real value.

In short, "Imagine you go to a toy exchange and bring some fake toys that look valuable but are actually worthless, and then you trade them for real toys and run away," explained Manan Vora, head of cryptocurrency custody company Liminal.

Centralized Freeze

Here’s where the story gets controversial.

Within hours, Sui’s 114 validators — the nodes that run the network — collectively decided to freeze the hacker’s addresses. No vote. No governance proposal. Just like any governance decision made by a centralized institution. Do you see the irony?

The result? $162 million saved. And at what cost? Outraged all the advocates of decentralization.

Justin Bons of European crypto fund Cyber ​​Capital led the opposition to the move.

Source: Twitter user - Justin_Bons

The data reveals the cruel facts:

• Sui's verification nodes: 114

• Ethereum's verification nodes: over 1 million

• Solana's verification nodes: 1153

When 114 The fact that two entities were able to coordinate the freezing of funds, even for legitimate reasons, raises uneasy questions about what “decentralization” really means.

A familiar defense

This isn’t the first time Cetus has pulled this kind of stunt—and that’s not a compliment.

The same team ran Solana’s Crema Finance exchange, which was hacked for $9 million in July 2022. Their response? Offering the hacker $1.6 million to return the funds. The hacker ultimately accepted the deal, but allegedly ended up in jail anyway (the details of the case match up, but have never been officially confirmed).

Now, facing a hacker attack 25 times larger than the previous one, the Cetus team has resorted to the same old trick and proposed a time-limited settlement plan:

• Plan: Return $217 million and retain $6 million

• Terms: No prosecution, no further questioning

• Deadline: 48 hours, otherwise "legal action will be taken"

But the crypto community is not buying it. One user summed it up: “Same team, same bug, different blockchain. How many chances do they have?”

Crisis Control Mode

When the dust settled, the data painted a grim picture:

• Total Value Locked (TVL): $2.1B to $1.7B (down 20%)

• SUI Tokens: Down ~15%

• Trading Volume: All Sui DEXes Collapsed

• User Confidence: Comments on Twitter Were Relentless

Source: DefiLlama

Sui’s response was divided into two parts.

First, they pledged to invest $10 million in comprehensive security reforms:

• Strengthen smart contract audits

• Increase vulnerability bounty programs

• Introduce formal verification tools

• Developer security training

• Open source security libraries

Second, they announced a shift from "platform responsibility" to "shared responsibility." Translated, it means: We can't do everything, developers have to take responsibility too.

Noble? Yes. Is it enough? The market has given the answer.

On Monday, the CETUS token rebounded 10%, from a complete collapse to just a heavy blow. But the technical challenges are far deeper than price issues.

The attack exposed fundamental problems:

• Insufficient liquidity: It is inevitable that prices will fluctuate wildly

• Oracle vulnerability: The "culprit" that triggered it all

• Cross-chain risk: Once funds flow into Ethereum, the game is over

Now Cetus has fixed the immediate vulnerability, but restoring confidence is not as easy as code.

So what should they do next?

Our View

This hack is not just about stolen funds, it’s about the identity crisis of cryptocurrency.

The decentralization paradox: Sui’s validator nodes saved $162 million through coordinated action, proving the effectiveness of the system. However, it also proves that 114 entities can effectively control a network of ecosystems that are supposed to be decentralized. This is not the censorship-resistant freedom that Satoshi or any decentralization advocate dreamed of. Instead, it’s more like a community patrol with nuclear weapons. Is it effective? Yes. Is it decentralized? That’s becoming a relative concept.

Competence question: When the same team suffers two major hacks with similar attack methods, it’s no longer bad luck, but a pattern. The crypto industry has been very tolerant of technical mistakes, but Cetus is challenging the bottom line of this tolerance. Their $6 million bounty may recover funds, but it won’t restore reputations. At some point, it’s no longer acceptable to say, “We’ll do better next time.”

A test of maturity: Sui’s pledge of $10 million in security overhauls and a “shared responsibility” model show growth potential. But it’s reactive, not proactive. What matters is whether the blockchain network can quickly mature enough to handle institutional money. With total locked volume falling and trust wavering, Sui is no longer just fighting a technical bug; they’re also fighting for their place in an increasingly competitive L1 landscape.

An uncomfortable truth exposed by this hack? Perfect decentralization may be incompatible with user protection. Sui chose protection. Ethereum ultimately chose purity. Bitcoin never had to choose.

Sui is facing a critical decision: whether to conduct an on-chain vote to return the frozen funds. If this sounds familiar, it’s because Ethereum faced the same decision after the 2016 DAO hack. Their decision to fork still divides the community to this day.

Meanwhile, the hackers still control over $60 million in funds on Ethereum. The Cetus bounty deadline is approaching. Will they take the $6 million and run, or risk it all?

The industry is watching Sui’s next move. For now, the “code is law” extremists are losing to the “users want their money back” pragmatists.