How did the stolen funds get recovered so fast?

SUI’s validators leveraged built-in code mechanisms to execute emergency votes, swiftly freezing most of the stolen funds. This decentralized security feature, designed to counter code vulnerabilities, proved critical in mitigating the exploit’s impact.

Now read the above and laugh.

The argument in the end is that SUI holders can undelegate from these validators if they don't agree with them blocking transactions so therefor it's a -decentralized- security feature. But when you look into the ICO distribution, tokenomics, validator requirements and the subsidy and delegation program in the Community Reserve you get a very different perspective.

ICO distribution and tokenomics

Total supply: 10,000,000,000

Circulating supply: 3,338,327,017

Staked: 7,582,337,296 (note 33% circulating, 75% staked, hmmmmm)

ICO distribution: https://icoanalytics.org/projects/sui/

A handful of insiders own about 4,400,000,000 SUI (44%) which is vested and unlocked on a schedule, 3,338,327,017 SUI is in circulation (33%) and 7,582,337,296 SUI (75%) is staked which, evidently, includes vested tokens.

So the conclusion is that a small group of insiders own the vast majority of the SUI supply and stakes it.

This alone gives them a disproportionate amount of control over who validates the blockchain. The fact vested tokens are also staked, resulting in 75% of the supply being staked while only 33% is in circulation, exacerbates this.

It effectively means nobody else can validate the blockchain because they can't even acquire the tokens to do so or at best it's incredibly expensive.

Additional information: The public sale sold only 328,500,000 SUI (3.2%). For 25,000,0000 of that SUI you had to be whitelisted by the Sui Foundation, the rest required people to participate in exchange-specific lotteries and most of those tokens unlocked monthly over a 12 month period.

Community Reserve

50% was allocated to the community reserve, which includes:

• Delegation Program: To help bootstrap community-run validators and ensure even stake distribution across the network.
• Validator Subsidies: To subsidize staking rewards in the early stages of Conclusionthe network.

Because insiders own the vast majority of the supply and they stake it they automatically receive the benefits from the Delegation Program and Validator Subsidies. This is giving them even more ownership over the supply and thus control over consensus. It's likely that insiders already obtained close to 25% of this reserve because 75% is staked.

Validator requirements

Minimum Stake Requirement: To become a (profitable) validator, you need to stake at least 30 million SUI tokens. At a price of $3.80 this is $114M. This requirement exacerbates the problem even further. It's already very hard to acquire SUI tokens and compete with insiders let alone this much to only become profitable.

Conclusion

With this information alone we can conclude that undelegating if you don't agree with validators blocking transactions from specific addresses is completely ineffective and this is clearly not a "decentralized" security feature. This action looks more like a 33% attack by majority control, it only requires 1/3rd of the validators (over 36) to coordinate to do so.

Fault Tolerance Threshold

• Sui's consensus layer can tolerate up to f < n/3 Byzantine validators (where n is the number of validators).
• With 109 validators (as of May 2025), up to 36 faulty validators could theoretically be tolerated without compromising safety.

And from the tokenomics and ICO distribution we can deduce that there are not 109 unique validators which makes it far easier to coordinate with 36 validators.

In reality the Minimum Attack Vector/Nakamoto Coefficient is much lower than 36. It's probably more like 10 or less entities. Entities who have been in contact since the ICO, who have the same interests and who are from the same country. Maybe a majority attack is technically not what happened in this case but it will nonetheless always remain a security issue.

TL;DR: it's not a feature and it's not a bug, it's a centralized database ran by insiders with on/off switch.