Cetus Protocol Shift Left Overflow Vulnerability Exploit Drain

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Cetus Protocol Logo/Homepage

Cetus Protocol, a decentralized exchange built on the Sui blockchain, suffered a catastrophic exploit resulting in over $260 million in losses due to a vulnerability in a shared math library function, checked_shlw. The flaw allowed an attacker to manipulate a core liquidity calculation, using minimal input to mint excessive liquidity and drain funds across multiple AMM pools. Despite a swift emergency response by Sui validators that froze $162 million mid-heist, over $60 million was bridged to Ethereum and converted to ETH. The incident exposed broader vulnerabilities across the Sui DeFi ecosystem, with several protocols patching similar logic flaws post-exploit. Cetus has since offered a $5 million bounty for the identification and return of the stolen funds.[1][2][3][4][5][6][7]

About Cetus Protocol

Cetus Protocol is a decentralized exchange (DEX) built on the Sui blockchain, designed to simplify on-chain trading and liquidity provision for users and developers alike. It offers a suite of advanced DeFi tools including swap aggregation, concentrated liquidity pools, intent-based trading, and automated vaults to help users maximize capital efficiency and returns. The platform supports both casual and institutional users, boasting features like limit orders, dollar-cost averaging (DCA), and multi-tier fee pools, all within a permissionless and secure environment.

At its core, Cetus functions as a CLMM-based DEX (Concentrated Liquidity Market Maker), allowing liquidity providers to allocate capital within specific price ranges, thereby improving efficiency and reducing slippage. With its Infinity Pools, users can deploy liquidity flexibly, while Cetus Vault offers automation for liquidity management. The protocol incentivizes participation through liquidity mining, yield farming, and a dual-token model featuring CETUS and xCETUS, designed to deliver sustainable, protocol-based rewards.

Cetus also serves as an on-ramp for new projects within the Sui ecosystem through its Asset Launch feature, enabling token launches and liquidity bootstrapping via its Launchpad. For developers, Cetus provides "Liquidity as a Service," offering APIs and smart contracts that integrate seamlessly with other applications. It is deeply embedded in the Sui ecosystem and audited for security, with a strong emphasis on open-source and permissionless design principles.

The Reality

A vulnerability resided in a shared math library (checked_shlw) that was conveniently “out of scope” in multiple top-tier reviews.

What Happened

A critical mathematical flaw in Cetus Protocol's liquidity calculations allowed an attacker to mint near-infinite liquidity with a single token, draining $223 million.

Key Event Timeline - Cetus Protocol Shift Left Overflow Vulnerability Exploit Drain
Date Event Description
May 22nd, 2025 4:45:25 AM MDT Attack On SUI Network The attack occurs on the SUI network.
May 22nd, 2025 11:02:40 AM MDT Verichain Blog Post Verichains creates a blog post offering a detailed root cause analysis of the $260 million exploit on Cetus Protocol, a decentralized exchange on the Sui blockchain. The blog highlights how the attack exploited a critical arithmetic vulnerability in the protocol’s smart contract, specifically a flawed overflow check in the checked_shlw(u256) function used for liquidity calculations. This incorrect check allowed an attacker to manipulate token inputs and mint excessive liquidity with almost no actual token deposit, ultimately draining the pools.
May 23rd, 2025 1:36:00 PM MDT Rekt Article Published Rekt News reports the incident as $223 million drained from Cetus, the largest decentralized exchange on the Sui network, through a fundamental flaw in its liquidity math. Rekt News frames the incident as a cautionary tale for the entire DeFi ecosystem: a reminder that smart contracts are only as secure as the math behind them. When foundational code is left unchecked and audits skip core components, the consequences aren’t just theoretical — they’re worth hundreds of millions.

Technical Details

By manipulating a poorly guarded formula in the get_liquidity_from_a function, attackers used a single SCA token and a narrow tick range to generate an astronomical liquidity position, essentially minting value out of thin air. This arithmetic loophole — a denominator approaching zero — allowed attackers to withdraw massive funds with negligible input, all without needing advanced exploits, oracle tampering, or smart contract breaches.

Total Amount Lost

Over $260 million was lost in the Cetus Protocol exploit, according to the Verichains analysis.

The total amount at risk has been estimated at $237,600,000 USD. The total amount lost has been estimated at $223,000,000 USD.

Immediate Reactions

The attack rapidly impacted every Cetus AMM pool, prompting Sui validators to initiate an emergency response. In a rare move, they froze $162 million mid-heist through a network-wide consensus override. Despite this, over $60 million had already been laundered through the Wormhole bridge to Ethereum and converted into nearly 21,000 ETH. The attacker, demonstrating deep familiarity with both the protocol and its underlying math, moved swiftly and efficiently, leaving few traces beyond blockchain breadcrumbs.

Ultimate Outcome

Several other Sui-based DeFi protocols, including Kriya, FlowX, and Turbo Finance, were found to be using the same flawed logic, with some quietly patching their code post-incident. Cetus and Inca Digital initially offered the attacker a $6 million whitehat bounty, which was ignored, leading to a public $5 million bounty for identification and arrest.

A bounty of $6,000,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $162,000,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

There remains an outstanding $5m bounty for the identification of the hacker and return of the funds.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Cetus - Rekt News (Accessed May 26, 2025)
  2. Cetus Protocol Homepage (Accessed May 26, 2025)
  3. Rekt HQ - "$223 million from @CetusProtocol through broken math. Sui validators froze $162M mid-heist. Over $60M walked across Wormhole and never looked back. Was it an exploit - or just the math working as written?" - Twitter/X (Accessed May 26, 2025)
  4. Zellic Co-Founder - "We're unable to share more details right now as it's an evolving situation, but the bug was out of scope for our audit. There will be a full analysis soon" - Twitter/X (Accessed May 26, 2025)
  5. Attacker's SUI Address - SUI Vision (Accessed May 26, 2025)
  6. Attack Transaction - SUI Vision (Accessed May 26, 2025)
  7. Cetus Protocol $260M Exploit: Root Cause Analysis and Technical Breakdown - Verichains (Accessed May 26, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Cetus_Protocol_Shift_Left_Overflow_Vulnerability_Exploit_Drain&oldid=6734"