Jessy, Jinse Finance
On May 22, Sui ecosystem DEX Cetus was hacked for $223 million. Only $60 million was exchanged to ETH through a cross-chain bridge and entered the hacker's wallet, while the remaining $162 million was frozen by Sui Foundation's coordinated nodes.
On May 27, a community vote was initiated to "decide whether to implement a protocol upgrade to recover funds frozen in the hacker-controlled account". The protocol upgrade was ultimately successful, and $162 million was recovered.
Sui Foundation's rapid response and quick solution to this theft sparked significant controversy in the community. On one hand, it recovered most of the funds and protected the interests of stolen users, while on the other hand, the recovery method involved forcibly changing asset ownership through node consensus, marking the first "asset transfer without private key" at the public chain level.
In the face of user interests, this operation that so boldly defied the "decentralization spirit" was overlooked.
How was asset transfer without private key achieved?
On May 22, Sui ecosystem DEX Cetus was hacked due to its own code's low-level error, losing $223 million. After the incident, $162 million of stolen funds were frozen by Sui Foundation's coordinated verification nodes.
On May 27, Sui Foundation promoted a community vote aimed at deciding whether to implement a protocol upgrade to recover funds frozen in the hacker-controlled account. Ultimately, within 48 hours, 114 nodes participated in voting, with 103 nodes voting: 99 supporting, 2 opposing, and 2 abstaining, passing the proposal with a 90.9% high vote.
Passing the proposal meant a Sui protocol upgrade that would allow a specific address to represent the hacker's address for two transactions to facilitate fund recovery. These transactions would be designed and published after the recovery address is finalized. Recovered assets would be stored in a multi-signature wallet controlled by Cetus, Sui Foundation, and the trusted auditor OtterSec from the Sui community.
At the protocol upgrade level, the `address aliasing` function was introduced, specifically pre-defining rules at the protocol level: disguising specific governance operations as a "legitimate signature of the hacker's account", then having verification nodes recognize this forged signature after the upgrade, legitimizing the frozen fund transfer. This enables forced asset ownership modification through node consensus without touching the private key (similar to a central bank freezing a bank account and transferring funds).
How was the initial asset freezing achieved? Sui itself supports `Deny list` and `Regulated tokens` functions, directly calling the freezing interface to lock the hacker's address in this case.
Technical vulnerabilities of authoritarian intervention left behind
Although this recovered most of the frozen assets, it inevitably raises concerns. The protocol upgrade, which forcibly modified asset ownership through node consensus, also implies that Sui officials can replace any address's signature and transfer its assets.
Constraining whether Sui officials can do this is not smart contract code, but node voting rights. Who controls the node voting results? Essentially, it's the large nodes controlled by the foundation's capital! In other words, Sui's stakeholders hold the greatest say, and even voting is merely a formality.
User private keys are no longer the absolute control certificate for assets. As long as node consensus agrees, the protocol layer can directly override private key permissions.
On the other hand, this achieved efficient asset recovery, with quick asset freezing benefiting from Sui's built-in regulatory functions and enabling rapid loss prevention. The voting was completed and protocol upgrade implemented within 48 hours.
However, in the author's view, the `address aliasing` function creates a dangerous precedent - the protocol layer can forge "legitimate operations" for any address, laying the groundwork for authoritarian intervention.
This series of Sui fund recovery operations is merely a choice to prioritize user interests when they conflict with decentralization principles. For both users and Sui, whether this violates decentralization principles seems unimportant, as they can always respond that it was "decided by vote" when challenged.
