TL;DR
- SlowMist identified that a critical vulnerability in the `checked_shlw` function allowed the attacker to simulate massive liquidity deposits with just a single token.
- The exploit was executed using a flash loan and an extremely narrow liquidity position, which distorted the price and drained the protocol’s funds.
- The Sui Foundation has managed to freeze over $160 million, and Cetus is offering a $5 million reward for information leading to the attacker.
On May 22, Cetus, one of the most prominent decentralized exchanges on the SUI network, suffered a devastating loss exceeding $230 million. The cause, as revealed by blockchain security firm SlowMist, was a tiny coding mistake in the protocol’s smart contract, specifically in the `checked_shlw` function, which failed to properly detect a mathematical overflow within the `get_delta_a` function.
This flaw allowed the system to calculate token amounts incorrectly. In simple terms: the code believed a massive amount of liquidity was being added, when in reality, only a single token was being deposited. That distortion was enough for an attacker to completely manipulate the system’s logic and withdraw real assets with virtually no actual investment.
Attack Strategy: Flash Loan and Fake Liquidity
The attack started with a flash loan of more than 10 million haSUI. This move immediately crashed the token’s price within the pool by 99.9%. The attacker then created a liquidity position with an extremely narrow range, which made the protocol believe that an astronomical amount of tokens was being added.
Taking advantage of the faulty calculation, the attacker claimed to have deposited trillions, while in truth, only a fraction was entered. In doing so, they managed to withdraw large quantities of assets in three separate phases and eventually repaid the initial flash loan. The final loot amounted to roughly 10 million haSUI and 5.7 million SUI.
A Call to the DeFi Community: Review, Verify, and Evolve
The crypto community is in constant evolution, but this incident shows that growth must go hand-in-hand with rigorous auditing. Both SlowMist and “Dedaub” — another security firm that analyzed the event — agree that these so-called “edge cases” must never be underestimated. Even though a similar flaw had already been detected in 2023 by Ottersec in the Aptos version of Cetus, the subsequent migration to SUI carried the same vulnerability into the new environment.
In a swift and coordinated response, the Sui Foundation managed to freeze $163 million of the stolen funds, and Cetus has offered a $5 million bounty for information that leads to those responsible. These rapid actions help restore confidence in the crypto ecosystem, proving that while threats exist, the community has both the tools and the determination to defend itself.
The DeFi world is not free of risk, but incidents like these also drive improvements that ultimately strengthen decentralization and foster innovation.
