Response to the Cetus Incident – Onchain Community Vote

Response to the Cetus Incident – Onchain Community Vote

Cetus has requested a community driven vote to recover the funds frozen following last week’s hack. In response, Sui Foundation has agreed to facilitate a vote amongst Sui validators, who represent the interests of both their stakers and the network as a whole. Sui holders and stakers can vote directly through stake delegation.

The proposition is to perform a protocol upgrade that reclaims all funds currently frozen in the two hacker accounts without a signature from the hackers. If the proposition is approved, the funds will be transferred and held in trust until they can be returned to accounts who had positions in Cetus. The protocol upgrade proposition is part of Cetus’s larger recovery plan to ensure all account holders are made whole, which includes use of Cetus’s treasury and obtaining a loan from Sui Foundation.

Voting will begin at 1pm PST on Tuesday 27 May, and will run for up to 7 days. After a minimum period of 2 days, voting can end early if it is conclusive. 

How to participate in the vote

How to observe the current state of the vote

Major explorers: Space and Time, Suiscan, and Suivision dedicated web pages to monitoring the validator voting decisions as well as the validator current stake. The Sui Foundation's stake is excluded to maintain neutrality.

For Sui holders and stakers

You can show your support by moving stake to validators whose preferences match yours. See above to understand how validators have voted.

For validators: 

The voting process: Sui validators and holders decide

Sui is a decentralized system governed through delegated proof of stake. Holders of Sui have delegated stake with validators that they believe will operate correctly, and represent their preferences when it comes to governance such as protocol parameters and protocol upgrades. When validators vote, they represent themselves, Sui holders, and stakers.

How will the vote work:

  • Voting amongst validators is facilitated via a transparent smart contract on Sui, that tracks votes and measures voting stake supporting each position.
  • Voting will begin on Tuesday, May 27th at 1:00pm PST.
  • Voting will be open for up to 7 days.
  • Validators may vote “yes,” “no,” or “abstain.” Once submitted, votes cannot be changed.
  • Votes are weighted by validator stake, excluding the Sui Foundation’s stake to maintain neutrality.
  • Stakers are encouraged to delegate their stake to validators who align with their preferences.
  • The proposal is considered approved if and only if: (a) More than 50% of total stake (excluding abstain) participates by voting “yes” or “no,” and (b) The weighted stake voting “yes” exceeds the weighted stake voting “no.”
  • Voting may end early (after a minimum of 2 days) if the remaining unvoted stake cannot change a “yes” outcome.
  • If there is no majority for “yes” or “no” prior to Tuesday, June 3 at 11:30am PST, the vote will be closed and there will be no protocol changes resulting from this vote.

Ultimately anyone holding Sui or Staked Sui may participate in the vote by delegating stake to a validator that represents their preference. 

The description of the voting process above is necessarily high-level, and the authoritative description remains the smart contract source code. The source code of the voting contract and validator voting tools can be viewed and the Move package has been published [SuiScan, SuiVision]. Validators may use the CLI tool provided, and their validator account key, to vote.

The proposition: A protocol upgrade to return hacked funds

Voting “yes” supports a protocol upgrade to be introduced that transfers the funds frozen as a result of the Cetus hack to a wallet controlled by a multi-sig. The funds will be held in trust until Cetus redistributes them to the accounts affected by the hack.

The Cetus trust wallet will be controlled with a 4 of 6 multisig wallet: 2 keys will be held by Cetus; 2 by the Sui Foundation; and 2 by OtterSec (a trusted auditor in the Sui community). This wallet address will be finalized shortly.

The intended role of these signers is as follows: Cetus will propose/sign transactions that follow the recovery plan that they decide upon. OtterSec will verify that the transactions match the intent of the publicly stated plan and sign them if so. Sui Foundation will not sign any transactions unless other signers are unable to. 

Voting “no” supports no such protocol upgrade to be introduced.

The protocol upgrade technical details

The exact details of the protocol upgrade will be as follows:

  • A specific address will be allowed to act as both of the hacker addresses, for two pre-specified transactions only (one for each address).
  • That is, we will specify two(hacker_address, aliased_address, TransactionDigest)tuples. For each tuple, the aliased address is allowed to act as the hacker address, only for the specific transaction.
  • This mechanism is specific to the two recovery transactions and cannot be used for any other purpose
  • The transactions will be crafted and publicized once the recovery address is finalized.