Attackers exploited a critical overflow flaw in Cetus Protocol’s automated market maker logic, which led to $223 million in user losses, according to a post-mortem by Dedaub.
“This incident represents one of the most significant DeFi exploits in recent history, caused by a subtle but critical flaw in “overflow” protection,” blockchain security firm Dedaub said in its report.
Dedaub explained that the flaw involved an “overflow” in the math used by Cetus’s automated market maker, where a miswritten condition failed to properly handle the most significant bits of large numerical inputs and “didn’t produce the intended result.”
Instead of rejecting oversized values, the system truncated them, causing the output to appear much smaller than it should have.
This allowed the attacker to deposit just a single token while the protocol mistakenly credited them with an enormous liquidity position. They then used that position to withdraw large amounts of real assets from the pools.
According to Dedaub, a similar vulnerability had been flagged in early 2023 by blockchain security firm Ottersec during an audit of the protocol’s codebase when it was deployed on Aptos.
However, after the code was later ported to the Sui network, the underlying issue still remained. Although developers attempted to implement safeguards, the overflow check was flawed, allowing the same type of exploit to slip through unnoticed.
“This incident shows why edge cases in DeFi can’t be ignored,” Dedaub warned, adding that complex math in decentralized finance needs careful review and testing. It urged developers to verify overflow protection manually, especially when using large numbers or advanced math.
Cetus exploit triggered sell-off
Cetus, a leading DEX on the SUI network, was hacked in the early hours of May 22, triggering one of the largest losses in the Sui ecosystem to date. Initial investigations claimed the incident stemmed from an “oracle bug.”.
The exploit led to over $223 million in losses across various liquidity pools, sparking a broad sell-off in related tokens, including SUI and CETUS, which dropped over 40% in the hours after the breach. Memecoins and smaller market cap tokens native to the network saw even steeper losses, with some plunging by over 90%.
In response, the Sui Foundation coordinated with validators to freeze around $163 million of the stolen funds. Cetus has also announced a $5 million bounty for information that identifies those responsible.
