Funds stolen from Cetus recovered "Decentralization" concessions for user interests

Jessy, Golden Finance

On May 22, the Sui ecosystem DEX Cetus was hacked, resulting in the theft of $223 million. Of this amount, only $60 million was exchanged for ETH through a cross-chain bridge and went into the hacker’s pocket, while the remaining $162 million was frozen by the Sui Foundation coordinating nodes.

On May 27, the community vote was initiated to decide whether to implement the protocol upgrade to recover the funds frozen in the hacker-controlled accounts. Ultimately, the protocol upgrade was realized, and 162 million in funds were successfully recovered.

The Sui Foundation’s rapid response to the recent theft incident and the prompt solution it launched have sparked considerable controversy within the community. On one hand, it has recovered most of the funds, safeguarding the interests of the stolen users; on the other hand, the method of recovery involved forcibly modifying asset ownership through node consensus, marking the first implementation of “keyless asset transfer” at the public chain layer.

In the face of user interests, this “bold” operation that goes against the “spirit of decentralization” has been overlooked.

How is asset transfer without a private key achieved?

On May 22, the Sui ecosystem DEX Cetus was attacked by hackers due to a low-level coding mistake, resulting in a loss of $223 million. After the incident, $162 million of the stolen funds were frozen by the Sui Foundation coordinating with validating nodes.

On May 27th, the Sui Foundation promoted a community vote, aiming to decide whether to implement a protocol upgrade to recover funds frozen in accounts controlled by hackers. Ultimately, within 48 hours, 114 nodes participated, with 103 voting, resulting in 99 votes in favor, 2 against, and 2 abstentions, achieving a high approval rate of 90.9% for the proposal.

The proposal also signifies an upgrade to the Sui protocol, which will allow a specific address to represent the hacker’s address for two transactions to facilitate the recovery of funds. These transactions will be designed and announced after the recovery address is finalized. The recovered assets will be stored in a multi-signature wallet controlled by OtterSec, a trusted auditor within Cetus, the Sui Foundation, and the Sui community.

In terms of protocol upgrades, the address aliasing function is introduced. Specifically, rules are defined in advance at the protocol layer: certain governance operations are disguised as “legitimate signatures of hacker accounts,” and then the validating nodes recognize the forged signature after the upgrade, legalizing the transfer of frozen funds. This allows for the forced modification of asset ownership through node consensus without touching the private keys (similar to how a central bank transfers funds after freezing a bank account).

How were the earliest frozen assets achieved? Sui itself supports the functionality of Deny list and Regulated tokens, and this time it directly called the freezing interface to lock the hacker’s address.

The Technical Risks of Remaining Authoritarian Interventions

Although this move has recovered most of the frozen assets, it inevitably raises concerns, as the upgrade of the protocol has forcibly modified the ownership of the assets through node consensus, which also indicates that the Sui official can replace any address for signing, thus transferring the assets inside.

The constraint on whether the Sui officials can do this is not the smart contract code, but the voting rights of the nodes. And who holds the results of the node voting? It is merely the large nodes controlled by the foundation with capital! In other words, the stakeholders of the Sui officials hold the greatest say, and even the voting is just a formality.

The user’s private key is no longer an absolute proof of control over assets; as long as the node consensus agrees, the protocol layer can directly override private key permissions.

On the other hand, this achieves an efficient asset recovery and rapid freezing of assets, thanks to the built-in regulatory functions of Sui, which allows for quick loss mitigation; voting was completed within 48 hours, and the protocol upgrade was implemented.

However, in the author’s opinion, the address aliasing function has set a dangerous precedent - the protocol layer can forge “legitimate operations” for any address, laying a technological groundwork for authoritarian intervention.

The series of operations to recover funds by Sui this time is merely a decision made by the public chain from the perspective of user interests when user benefits conflict with the principles of decentralization. As for whether it violates the principle of decentralization, it seems irrelevant for both users and Sui, after all, they can always respond to questioning by saying it was a “voted” decision.