Cetus Protocol is one of the major DEXs live on the Sui blockchain. On May 22, 2025, the Cetus Protocol got hit with a massive exploit, leading to losses of ~$223M in the process. The hacker used the same vulnerability multiple times to exploit the liquidity on the exchange.
Post-attack hacker bridged the liquidity to the Ethereum blockchain in batches of $1M. The attacker was able to bridge ~$62M in USDC later swapped to ETH, before the remaining stolen funds got frozen by the set of validators on Sui. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
The attack was initialized by a flash swap transaction. The attacker borrowed a huge amount of tokenA from the pool. Cetus Protocol allowed for flashloans where the users could get the tokens upfront if returned in the same transaction, as flashloans normally work.
Then the attacker opened a position with a narrow range of [300000, 300200] with just the addition of 1 unit of tokenA in the pool. The pool allowed for to minting of a massive amount of liquidity against 1 unit of the token.
The problem was with the following function: get_delta_a. This function is responsible for calculating the amount of tokenA required to provide the liquidity L to the pool. The attacker curated the value of L in a particular way that required the amount of tokens A to be just 1.
Notice how in the below transaction, the attacker only provided 1 unit of token and then minted and removed a massive amount of liquidity, equating to the flashloan taken. Once the attacker minted the liquidity, they returned the initial flashloan and kept the leftover tokens as profit.
A similar attack pattern was noticed in various transactions from the attacker draining funds from liquidity pools.
Don't Let a Tiny Bug Cost You Millions
Don't Let a Tiny Bug Cost You Millions
A single arithmetic overflow led to a $223M disaster for Cetus Protocol. Don’t let hidden vulnerabilities put your protocol at risk. Get your smart contracts audited by experts at QuillAudits and stay secure.
Root Cause Analysis
When get_delta_a calculates the amount of tokenA required, it calls the checked_shlw function. The checked_shlw function is called with the multiplication of arg2 and v0. arg2 is the liquidity to be minted provided by the attacker. While v0 is the difference between the tick calculated with the absolute value of (arg1 - arg0), where arg1 and arg0 are the price ticks, which in this case are [300000, 300200].
The function returns two values, as seen in the above function get_delta_a, which are v1 and v2. v1 should be 0 in the case value of input [liquidity * (arg1 - arg0)] exceeds 2^192, and v2 should be true. If v2 is true, it means that the value exceeded the threshold, and the function aborts in the next line.
But the above wasn’t true in this case, and it used this mask instead 0xffffffffffffffff << 192, which allowed the input bits to exceed 192 bits, and it was later shifted left by 64 bits, exceeding the 256 bits, creating an overflow, which resets the value to a much smaller number.
In the following fix the mask was replaced with 1 << 192, which prevents bits above 192 from entering the function and gets aborted.
The function get_delta_a then divides the numerator returned by the checked_shlw function by the denominator (multiplication of ticks), producing a very low quotient, hence returning the value 1, which is the amount of tokensA required to mint the massive liquidity.
The attack flow in simple terms:
Fund Flow Post Attack
Once the attack was completely executed, the attacker got control of funds of ~$223M, the attacker started bridging USDC to Ethereum using Wormhole.
The attacker was able to bridge ~$62M USDC and converted it to ETH. Most of the funds still sit in the attacker’s wallet.
Source: Arkham
Source: Arkham
Sui validators blocked the remaining funds ~$162M. The validators would block any transactions coming from the attacker’s wallet.
Relevant Transactions and Addresses
Attacker Wallets
- Sui: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06
- ETH: 0x89012a55cD6b88e407C9d4ae9B3425F55924919b
- ETH: 0x0251536BfcF144B88e1aFa8fe60184Ffdb4cAF16
Transactions
- Exploit tx: https://suivision.xyz/txblock/Fa4Q5HKewvX6uzUE95keRackZ3nxpBdNfcVryyXkhXis
- Transfer of 20k ETH from attacker’s wallet: https://etherscan.io/tx/0xcf5500862c1bf696e5a7acc29559e2a549497846280b8d8a5349a74941bc921a
How the Attack Could Have Been Prevented?
The bug was related to how a particular function handled large integer values. The attacker took the benefit of the overflow bug as it lacked checks on the input provided by the user and truncated the value.
Understanding the mathematical aspects and how integers are handled is crucial for DeFi protocols, as they handle large integer values for added precision. Moreover, DeFi protocols are usually complex in terms of design, and having an external expert support adds value to the overall testing process. Robust testing and auditing play an important role in avoiding getting trapped in such edge cases.
Conclusion
Cetus Protocol is one of the major DEXs on the Sui Network. An overflow bug became a huge attack vector, draining $223M in the process. Sui validators acted fast to save the stolen funds and were only able to freeze $162M through a set of validators.
The amount of tokens required to mint a certain amount of liquidity was bugged due to an arithmetic overflow bug, leading to an attacker only providing 1 unit of token and minting a massive amount of liquidity in return.
At QuillAudits, with our 7+ years of experience in testing and auditing smart contracts and our multi-layered auditing framework, we help move-based protocols get audited and be production-ready.
