Forum
OPRR
Finance
Specials
On-chain Eco
Entry
Podcasts
Data
How did Sui "freeze" the hacker's address, is decentralization a lie?
Summarized by AI
Original Author: Haotian, Crypto Researcher
Many people are puzzled by how Sui, after being hacked as stated by the official @CetusProtocol, saw its validator network coordinate a "freeze" on the hacker's address, recovering $160 million. How was this achieved? Is decentralization indeed a "lie"? Below, let's attempt to analyze from a technical perspective:
· Portion Transferred via Cross-chain Bridge: After the successful hack, the hacker immediately used a cross-chain bridge to transfer some assets like USDC to other chains such as Ethereum. This portion of the funds cannot be recovered because once they leave the Sui ecosystem, validators are powerless.
· Portion Still on the Sui Chain: A significant amount of stolen funds still resides in the hacker-controlled Sui address. This portion of the funds became the target of the "freeze."
According to the official announcement, "a large number of validators identified the stolen funds addresses and are ignoring transactions on these addresses."
——How was this specifically accomplished?
1. Validator-Level Transaction Filtering—Essentially, validators collectively "turn a blind eye":
- Validators directly ignore transactions from the hacker's address at the transaction pool (mempool) stage;
- These transactions are technically valid but simply not included in blocks;
- The hacker's funds are thus "imprisoned" in the address;
2. Key Mechanism of Move's Object Model—The Move language's object model makes this "freeze" feasible:
- Transfers must be on-chain: Although the hacker controls a substantial amount of assets in the Sui address, to transfer these objects like USDC, SUI, etc., a transaction must be initiated and confirmed by validators;
- Validators have the ultimate power: By refusing to include transactions, the objects remain motionless;
- Result: The hacker nominally "owns" these assets, but practically has no way to access them.
It's akin to having a bank card but all ATMs refuse to serve you. The money is in the card, but you can't withdraw it. With continued monitoring and intervention by SUI validator nodes (ATMs), the SUI and other tokens in the hacker's address are unable to circulate. These stolen funds are now akin to being "burned," objectively contributing to a form of "deflation"?
Of course, besides temporary validator coordination, Sui may have implemented a deny list feature at the system level. If indeed so, the process could be: relevant authorities (such as Sui Foundation or through governance) add the hacker's address to the system's deny list, and validators abide by this system rule, refusing to process transactions involving blacklisted addresses.
Whether through temporary coordination or systematic rule enforcement, the majority of validators need to act in unison. Evidently, Sui's validator network power distribution is still too centralized, with a few nodes being able to control key network decisions. And the over-centralization issue of Sui's validators is not unique to PoS chains—from Ethereum to BSC, most PoS networks face similar risks of validator centralization, but Sui has just made the issue more apparent.
——How can a network claiming to be decentralized have such a strong centralized "freeze" capability?
What's even more damning is that Sui's official statement is to return the frozen funds to the pool, but if indeed the validators "refuse to pack transactions," these funds theoretically should never be movable. How did Sui manage to return them? This further challenges the decentralization feature of Sui's chain!
Could it be that apart from a few centralized validators refusing transactions, the officials even have system-level superpowers to directly modify asset ownership? (Sui needs to provide further details on the "freeze") Before disclosing specific details, it is necessary to discuss the trade-off around decentralization:
Emergency intervention and response, sacrificing a bit of decentralization, is always a bad thing? Is it always what users want if the whole chain does nothing in the face of a hacker attack?
I would like to say that, of course, no one wants their money to fall into the hands of hackers, but what worries the market more about this move is that the freeze standard is completely "subjectivized": What constitutes "stolen funds"? Who defines it? Where are the boundaries? Freeze the hacker today, freeze who tomorrow? Once such a precedent is set, the most core anti-censorship value of a public chain is completely bankrupt, inevitably causing damage to user trust. Decentralization is not black and white, Sui has chosen a specific balance point between user protection and decentralization. The crux lies in the lack of a transparent governance mechanism and clear boundary standards. At this stage, most blockchain projects are making such trade-offs, but users have the right to know the truth, rather than being misled by the label of "completely decentralized."
Original Article Link
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
