How did Sui "freeze" the hacker's address? Is decentralization a lie?

8 hours ago

This article is machine translated

Show original

Many people are puzzled that after @CetusProtocol was hacked, the Sui validator network coordinated to "freeze" the hacker's address, recovering $160 million. How exactly was this done? Is decentralization just a "lie"? Let's analyze this from a technical perspective:

· Cross-chain bridge transfer part: After the successful hack, the hacker immediately transferred some USDC and other assets through cross-chain bridges to other chains like Ethereum. These funds cannot be recovered because once they leave the Sui ecosystem, validators are powerless.

· Portion still on Sui chain: A significant amount of stolen funds remains in the hacker's Sui addresses. These funds became the target of "freezing".

According to the official announcement, "A large number of validators identified the stolen fund addresses and are ignoring transactions from these addresses".

——How exactly was this implemented?

1, Transaction filtering at the validator level - simply put, validators collectively "play blind":

- Validators directly ignore transactions from the hacker's address in the transaction pool (mempool);
- These transactions are technically completely valid, but just not packaged onto the chain;
- The hacker's funds are thus "soft confined" in the address;

2, Key mechanism of Move object model - Move language's object model makes this "freezing" possible:

- Transfer must be on-chain: Although the hacker controls a large number of assets in the Sui address, to transfer these USDC, SUI and other objects, they must initiate a transaction and have it packaged and confirmed by validators;
- Validators hold the power of life and death: If validators refuse to package, the objects will never move;
- Result: The hacker nominally "owns" these assets, but actually has no way to move them.

It's like having a bank card, but all ATMs refuse to serve you. The money is in the card, but you can't withdraw it. With continuous monitoring and interference from SUI validator nodes (ATMs), tokens like SUI in the hacker's address will not be able to circulate, and these stolen funds now seem "destroyed", objectively creating a "deflationary" effect?

Of course, in addition to temporary coordination by validators, Sui might have a pre-set denial list function at the system level. If this is indeed the case, the process might be: relevant authorities (such as Sui Foundation or through governance) add the hacker's address to the system's deny_list, and validators execute according to this system rule, refusing to process transactions from blacklisted addresses.

Whether through temporary coordination or system rule execution, this requires most validators to be able to act in unison. Clearly, Sui's validator network power distribution is still too centralized, with a minority of nodes able to control key network decisions. The over-centralization of Sui's validators is not unique to PoS chains - from Ethereum to BSC, most PoS networks face similar validator centralization risks, but Sui has exposed this issue more explicitly.

——How can a network claiming to be decentralized have such a strong centralized "freezing" capability?

More critically, Sui officially stated they would return the frozen funds to the pool, but if validators are truly "refusing to package transactions", these funds should theoretically never move. How will Sui achieve this return? This further challenges Sui's decentralization characteristics!

Could it be that in addition to a few centralized validators refusing transactions, the official might even have system-level super permissions to directly modify asset ownership? (Sui needs to provide further "freezing" details) Before specific details are disclosed, it's necessary to discuss the trade-offs around decentralization:

Is sacrificing a bit of decentralization for emergency response always a bad thing? If a chain does nothing when facing a hacker attack, is that really what users want?

What I want to say is that while naturally no one wants money to fall into hackers' hands, what worries the market more is that the freezing standards are completely "subjective": What counts as "stolen funds"? Who defines this? Where are the boundaries? Today it's freezing hackers, who will it be tomorrow? Once such a precedent is set, the blockchain's core anti-censorship value is completely bankrupt, inevitably damaging user trust. Decentralization is not black and white, Sui has chosen a specific balance point between user protection and decentralization. The key issue is the lack of transparent governance mechanisms and clear boundary standards. Most blockchain projects are currently making such trade-offs, but users have the right to know the truth, rather than being misled by the "completely decentralized" label.

Original link

Welcome to join BlockBeats official community:

Telegram subscription group: https://t.me/theblockbeats

Telegram discussion group: https://t.me/BlockBeats_App

Twitter official account: https://twitter.com/BlockBeatsAsia

Sector:

Binance Launchpool

Layer 1

Source

Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.

Add to Favorites

Comments

Relevant content

MarsBit

20 hours ago

SUI ecosystem is in turmoil! Cetus vulnerability leads to the theft of hundreds of millions of assets, and hackers are transferring funds across chains

Hyperliquid Nears All-Time High – What’s Next for HYPE Price?

BeInCrypto Việt Nam

13 hours ago

Robinhood Lists MOODENG and MEW, Triggering a 20% Surge