On October 16, the Sui-based DeFi protocol Typus Finance experienced a security breach, resulting in approximately $3.44 million in losses. The project has officially acknowledged the incident and expressed gratitude to SlowMist for their assistance in the investigation. Attack Sequence Analysis: The exploit originated from a critical vulnerability in the oracle update mechanism. Attackers manipulated price data through the update_v2 function in the typus_oracle/sources/oracle.move contract. The security flaw existed in the permission validation logic. While the UpdateAuthority object contained an authority whitelist, the contract failed to properly validate the result of the vector::contains function call. This allowed unauthorized users to modify oracle prices despite the intended access control mechanism. Key Attack Steps: 1. Price Manipulation: The attacker called update_v2 to set artificial prices for oracle tokens, including setting one oracle price to 651,548,270 and another to 1. 2. Arbitrage Execution: The attacker exploited the manipulated prices through the swap function in typus_perp/sources/tlp/lp_pool.move. The trading pool utilized oracle prices rather than constant product formulas for token conversions, enabling the attacker to exchange 1 SUI for 60,000,000 XBTC (approximately 0.6 BTC). 3. Repeated Exploitation: The attacker executed 10 separate update_v2 attacks and rapidly transferred the stolen assets through cross-chain bridges. Fund Tracing: According to MistTrack analysis, the total stolen assets amounted to approximately $3.44 million, including 588,357.9 SUI, 1,604,034.7 USDC, 0.6 xBTC, and 32.227 suiETH. The attacker converted most assets to USDC through various DeFi platforms and transferred approximately 3,430,717 USDC across 14 transactions to an Ethereum address via Circle’s CCTP. The funds were subsequently converted to 3,430,241.91 DAI through Curve and moved to a new address where they remain. Security Recommendations: This incident represents a classic oracle manipulation attack. The vulnerability could have been prevented by implementing a simple assert statement to validate permission checks. Sui Move Permission Control Characteristics: Compared to Solidity, Sui Move incorporates more built-in and mandatory access controls. The language’s object-oriented model with linear type system enforces exclusive ownership, preventing unauthorized modifications. Proper implementation of capability objects like ManagerCap can effectively secure sensitive operations. Despite Sui Move’s robust security foundations, this case demonstrates that rigorous coding practices and comprehensive security audits remain essential for preventing exploits in smart contract development.