- Pin
- #Over 100 Companies Hold Over 830,000 BTC#
According to reports as of June 19, more than 100 companies collectively hold over 830,000 BTC, worth about $86.476 billion.
💬 Do you think Bitcoin will become a new norm for corporate asset allocation? How might this impact Bitcoin’s price? What’s your recent BTC trading strategy? Post to share your price predictions, market analysis, and strategies with us using the topic tag!
🎁 Meanwhile, Gate’s BTC Staking event is in full swing! Simply stake your BTC and earn up to 3% APY. Click the link to start staking and enjoy your earnings: https://ww - 🏁 Gate Red Bull Racing Tour 2025 In Full Swing!
Up to now, the total trading volume exceeded $2 billion, with top trader trading volume nearing $200 million
Join the race now & fuel your trades for real-world rewards:
✅ 5,000 GT Prize Pool
✅ VIP Seat at an F1 Grand Prix
✅ Futures Vouchers for New Signups
Start your engines & trade fast
Top the leaderboards. The Race is ON!
👉 Go Now: www.gate.com/competition/f1rb/s1
#GateRedBullRacingTour# - 📢 Gate releases its latest Reserve Audit Report!
💰 Total reserves: $10.453B
🟢 Excess reserves: $1.96B — ensuring full coverage and extra security for user assets.
Gate continues to uphold 100% proof-of-reserves and full transparency.
🔗 Read the full report: https://www.gate.com/zh/announcements/article/45617
The hacker stole the money, so can Sui rob it?
Preface
This event is a victory for capital, not for users, and is a regression for industry development.
Bitcoin to the left, Sui to the right, every shake in the decentralized industry brings a stronger belief in Bitcoin.
The world needs more than just a better global financial infrastructure; there will always be a group of people who need a space of freedom.
Once upon a time, consortium chains were more popular than public chains because they met the regulatory needs of that era. Today, the decline of consortiums actually means that merely complying with this demand is not the true demand of real users. What about the users lost to regulation? What regulatory tools are needed then?
1. Event Background
On May 22, 2025, the largest decentralized exchange of the Sui public chain ecosystem, (DEX) Cetus, was hacked, causing an immediate drop in liquidity, a collapse in prices of multiple trading pairs, and losses exceeding 220 million dollars.
As of the time of publication, the timeline is as follows:
2. Attack Principle
Regarding the principles of the event, there have been multiple statements in the industry; here is only a brief overview of the core principles:
From the perspective of the attack process:
The attacker first used a flash loan to borrow about 10,024,321.28 haSUI, instantly causing the price in the trading pool to drop.
99.90%. This massive sell order caused the target pool price to drop from approximately 1.8956×10^19 to 1.8425×10^19, nearly clearing it out.
Subsequently, the attacker created a liquidity position on Cetus within a very narrow range (Tick lower limit 300000, upper limit 300200, with a range width of only 1.00496621%). Such a narrow range amplifies the impact of subsequent calculation errors on the required number of tokens.
Core principle of attack:
There is an integer overflow vulnerability in the get_delta_a function used by Cetus to calculate the required number of tokens. An attacker deliberately claims to add a huge liquidity (approximately 10^37 units) but actually only contributes 1 token to the contract.
Due to an error in the overflow detection condition of checked_shlw, the contract experienced a high-bit truncation during the left shift calculation, which led the system to severely underestimate the required amount of haSUI, thus obtaining a massive liquidity at a minimal cost.
Technically, the aforementioned vulnerability stems from Cetus using incorrect masks and judgment conditions in the Move smart contract, allowing any value less than 0xffffffffffffffff << 192 to bypass detection; while the high-order data is truncated after shifting 64 bits to the left, the system considers that it has obtained significant liquidity with only a minimal amount of tokens.
After the incident occurred, two official operations emerged: "Freeze" vs "Recover", they are two stages:
3. The Freezing Mechanism of Sui
The Sui chain itself has a special Deny List mechanism ( that implements the freezing of funds from this hack. Not only that, the Sui token standard also has a "regulated token" model, which comes with a built-in freezing function.
This emergency freeze takes advantage of this feature: validator nodes quickly added the addresses related to the stolen funds in their local configuration files. In theory, each node operator can modify
TransactionDenyConfigto update the blacklist on their own, but to ensure network consistency, the Sui Foundation, as the initial configuration publisher, coordinated centrally.The foundation first officially released a configuration update containing the hacker's address, allowing validators to synchronize and take effect based on the default configuration, thereby temporarily "sealing" the hacker's funds on the chain. However, there are actually significant centralization factors behind this.
In order to rescue the victims from the frozen funds, the Sui team immediately launched the whitelist )Whitelist( mechanism patch.
This is an operation for subsequent fund returns. Legal transactions can be pre-constructed and registered in the whitelist, and even if the fund address is still on the blacklist, it can be enforced.
This new feature
transaction\_allow\_list\_skip\_all\_checksallows specific transactions to be pre-added to the "exemption list," enabling these transactions to bypass all security checks, including signatures, permissions, blacklists, etc.It should be noted that the whitelist patch does not directly seize the hacker's assets; it merely grants certain transactions the ability to bypass freezing, and the actual asset transfer still requires a legitimate signature or additional system permission module to complete.
In fact, mainstream freezing solutions in the industry often occur at the token contract level and are controlled by multi-signatures from the issuer.
Taking USDT issued by Tether as an example, its contract includes a blacklist function, allowing the issuing company to freeze non-compliant addresses, preventing them from transferring USDT. This solution requires a multi-signature to initiate a freeze request on the chain, and it is only executed after the multi-signatures reach a consensus, resulting in execution delays.
Although the Tether freeze mechanism is effective, statistics show that multi-signature processes often have "window periods" that provide opportunities for criminals.
In contrast, the freezing of Sui occurs at the underlying protocol level, operated collectively by validator nodes, and executes much faster than ordinary contract calls.
In this model, to execute fast enough, it means that the management of these validator nodes themselves must be highly unified.
4. The Mechanism of Sui's "Transfer-based Recycling"
Even more astonishing is that Sui not only froze the hacker's assets but also plans to recover the stolen funds through an on-chain upgrade called "Transfer Recovery."
On May 27, Cetus proposed a community voting plan to upgrade the protocol and transfer the frozen funds to a multi-signature escrow wallet. The Sui Foundation then initiated an on-chain governance vote.
On May 29, the voting results were announced, with approximately 90.9% of weighted validators supporting the proposal. Sui officially announced that once the proposal is passed, "all funds frozen in the two hacker accounts will be recovered to a multi-signature wallet without the need for hacker signatures."
No hacker signatures are required; what a unique feature, this kind of fix has never existed in the blockchain industry.
From the Sui official GitHub PR, it can be seen that the protocol introduces the address aliasing )address aliasing( mechanism. The upgrade includes: pre-specifying alias rules in
ProtocolConfig, allowing certain permitted transactions to treat valid signatures as being sent from hacker accounts.Specifically, the list of rescue transaction hashes to be executed is bound to the target address (i.e., the hacker address). Any executor who signs and publishes these fixed transaction summaries is regarded as a valid owner of the hacker address initiating the transaction. For these specific transactions, the validator node system will bypass the Deny List check.
From the code level, Sui has added the following judgment in the transaction verification logic: when a transaction is intercepted by the blacklist, the system traverses its signers to check whether
protocol\_config.is\_tx\_allowed\_via\_aliasing)sender, signer, tx\_digest(is true.As long as there is a signer that meets the alias rules, this transaction marked as allowed to pass will ignore the previous interception errors and continue to be packaged and executed normally.
5. Opinion
) 160 million, tearing open the deepest underlying beliefs of the industry
The Cetus incident, from my personal perspective, may pass quickly, but this model will not be forgotten because it has subverted the foundations of the industry and broken the traditional consensus of immutability of blockchain under the same ledger.
In blockchain design, contracts are the law, and code is the referee.
But in this incident, the pattern of "code failure, governance intervention, and power overriding, resulting in voting behavior adjudicating the code outcomes" was formed.
The reason is that Sui's approach of directly appropriating transactions this time is vastly different from how mainstream blockchains handle hacking issues.
This is not the first time of "manipulating consensus," but it is the quietest one.
Historically:
This is the same hard fork model, rolling back the ledger to before the issue, and then users can still decide for themselves under which ledger system to continue using.
Compared to DAO hard forks, Sui did not choose to split the chain, but instead precisely addressed this event through protocol upgrades and configuration aliases. By doing this, Sui maintained the continuity of the chain and most consensus rules unchanged, while also indicating that the underlying protocol can be used to implement targeted "rescue actions."
The problem is that historical "fork rollbacks" are a choice made by users; Sui's "protocol corrections" are decisions made for you by the chain.
Not Your Key, Not Your Coin? I’m afraid Not Anymore.
In the long run, this means that the concept of “Not your keys, not your coins” is undermined on the Sui chain: even if the user's private key is intact, the network can still prevent asset movement and redirect assets through collective protocol changes.
If this becomes a precedent for blockchain in dealing with major security incidents in the future, and even be considered a practice that can be adhered to again.
"When a chain can break the rules for justice, it has also set a precedent for breaking any rule."
Once there is a successful instance of "public welfare money grabbing," the next time it may involve operations in the "moral gray area."
What will happen?
If hackers really stole the user's money, can a group vote take away his money?
Is the voting based on who has more money (pos) or more people? If it's the one with more money who wins, then the ultimate producer described by Liu Cixin will soon arrive. If it's the one with more people who wins, then the chaotic crowd will also make their voices heard.
In traditional systems, it is very common for illegal gains not to be protected, and freezing and transferring are routine operations of traditional banks.
But from a technical theoretical standpoint, this cannot be achieved, isn't that the root of the blockchain industry's development?
The regulatory stick in the industry is continuing to ferment. Today, accounts can be frozen and balances modified for the sake of hackers, and tomorrow, arbitrary modifications can be made for geopolitical or conflict-related reasons. If the chain becomes a regional tool.
The value of that industry has been significantly compressed, at best it's just another set of a more cumbersome financial system.
This is also the reason why I firmly believe in the industry: "Blockchain has value not because it cannot be frozen, but because even if you hate it, it does not change for you."
With the trend of regulation, can the chain maintain its own soul?
Once upon a time, consortium chains were more popular than public chains, mainly because they met the regulatory needs of that era. Today, the decline of consortiums actually signifies that merely complying with these needs does not reflect the true demands of users. The lost users under regulation raise the question of what regulatory tools are needed.
From the perspective of industry development
"Efficient centralization", is it a necessary stage in the development of blockchain? If the ultimate goal of decentralization is to protect user interests, can we tolerate centralization as a transitional means?
The term "democracy" in the context of on-chain governance is actually token weighted. So if a hacker holds a large amount of SUI (or if one day a DAO is hacked and the hacker controls the voting power), can they also "legally vote to clear their name"?
Ultimately, the value of blockchain lies not in whether it can be frozen, but in the choice not to do so even when the group has the ability to freeze.
The future of a chain is determined not by its technical architecture, but by the set of beliefs it chooses to uphold.