Cetus recovered stolen funds "Decentralization" concessions benefit users

Jessy, Golden Finance

On May 22, the Sui ecosystem DEX Cetus was hacked for $223 million. Of this, only $60 million was exchanged for ETH through a cross-chain bridge and entered the hacker’s wallet, while the remaining $162 million was frozen by nodes coordinated by the Sui Foundation.

On May 27, the community voting began, “to decide whether to implement the protocol upgrade to recover the funds frozen in accounts controlled by hackers.” The protocol upgrade was ultimately successful, and 162 million in funds were successfully recovered.

The Sui Foundation’s quick response to the recent theft incident and the rapid deployment of a solution has sparked significant controversy within the community. On one hand, it has recovered most of the funds, ensuring the interests of the affected users; on the other hand, the method of recovery involved forcibly altering asset ownership through node consensus, marking the first implementation of “keyless asset transfer” at the blockchain level.

In the face of users’ interests, this “bold” operation that goes against the “spirit of decentralization” has been overlooked.

How is asset transfer without private keys achieved?

On May 22, the Sui ecosystem DEX Cetus was hacked due to a low-level code error, resulting in a loss of $223 million. After the incident, $162 million of the stolen funds were frozen by the Sui Foundation coordinating with validation nodes.

On May 27, the Sui Foundation promoted a community vote, aimed at deciding whether to implement a protocol upgrade to recover funds frozen in accounts under hacker control. Ultimately, within 48 hours, 114 nodes participated, with 103 casting votes: 99 in favor, 2 against, and 2 abstentions, resulting in a proposal passing with a high approval rate of 90.9%.

The proposal also signifies an upgrade to the Sui protocol, which will allow a specific address to represent the hacker address for two transactions to facilitate the recovery of funds. These transactions will be designed and announced after the recovery address is finalized. The recovered assets will be stored in a multi-signature wallet controlled by Cetus, the Sui Foundation, and a trusted auditor OtterSec within the Sui community.

On the protocol upgrade level, the function of address aliasing is introduced. Specifically, rules are predefined at the protocol layer: certain governance operations are disguised as “legitimate signatures of hacker accounts,” and then the verification nodes recognize this forged signature after the upgrade, legitimizing the transfer of frozen funds. This allows for the forced modification of asset ownership through node consensus without touching the private key (similar to the central bank freezing a bank account and transferring funds).

So how was the earliest frozen assets realized? Sui itself supports the Deny list (frozen list) and Regulated tokens (regulated tokens) functionalities, and this time it directly called the freezing interface to lock the hacker’s address.

The technical risks of left-behind authoritarian interventions

Although this move has recovered most of the frozen assets, it also raises concerns because the upgrade of the protocol has forcibly modified the ownership of the assets through node consensus, which also suggests that the Sui officials can replace any address for signing, thereby transferring the assets contained within.

Whether the Sui official can do this is not determined by the smart contract code, but by the voting rights of the nodes. And who holds the results of the node voting? It is simply the large nodes controlled by the capital of the foundation! In other words, the stakeholders of the Sui official hold the greatest say, and even if there is voting, it is merely a formality.

The user’s private key is no longer an absolute proof of control over assets; as long as the node consensus agrees, the protocol layer can directly override the permissions of the private key.

On the other hand, this achieves an efficient asset recovery, allowing for the rapid freezing of assets, thanks to the built-in regulatory features of Sui, which can also quickly stop losses. Voting was completed within 48 hours, and the protocol upgrade was implemented.

However, in the author’s view, the address aliasing function has set a dangerous precedent—at the protocol level, it can forge any address’s “legitimate operation,” which lays the technical groundwork for authoritarian intervention.

The series of operations to recover funds by Sui this time was simply a decision made by the public chain to prioritize user interests when there was a conflict with the principles of decentralization. Whether this contradicts the principle of decentralization seems unimportant to both users and Sui, after all, they can respond to skepticism by stating that it was a “vote” that decided.