May 2025 - Cetus Protocol Shift Left Overflow Vulnerability Exploit Drain - $223m (Global)
Cetus Protocol is a decentralized exchange (DEX) built on the Sui blockchain, designed to simplify on-chain trading and liquidity provision for users and developers alike. It offers a suite of advanced DeFi tools including swap aggregation, concentrated liquidity pools, intent-based trading, and automated vaults to help users maximize capital efficiency and returns. The platform supports both casual and institutional users, boasting features like limit orders, dollar-cost averaging (DCA), and multi-tier fee pools, all within a permissionless and secure environment.
At its core, Cetus functions as a CLMM-based DEX (Concentrated Liquidity Market Maker), allowing liquidity providers to allocate capital within specific price ranges, thereby improving efficiency and reducing slippage. With its Infinity Pools, users can deploy liquidity flexibly, while Cetus Vault offers automation for liquidity management. The protocol incentivizes participation through liquidity mining, yield farming, and a dual-token model featuring CETUS and xCETUS, designed to deliver sustainable, protocol-based rewards.
Cetus also serves as an on-ramp for new projects within the Sui ecosystem through its Asset Launch feature, enabling token launches and liquidity bootstrapping via its Launchpad. For developers, Cetus provides "Liquidity as a Service," offering APIs and smart contracts that integrate seamlessly with other applications. It is deeply embedded in the Sui ecosystem and audited for security, with a strong emphasis on open-source and permissionless design principles.
A vulnerability resided in a shared math library (checked_shlw) that was conveniently “out of scope” in multiple top-tier reviews.
By manipulating a poorly guarded formula in the get_liquidity_from_a function, attackers used a single SCA token and a narrow tick range to generate an astronomical liquidity position, essentially minting value out of thin air. This arithmetic loophole — a denominator approaching zero — allowed attackers to withdraw massive funds with negligible input, all without needing advanced exploits, oracle tampering, or smart contract breaches.
Over $260 million was lost in the Cetus Protocol exploit, according to the Verichains analysis.
The attack rapidly impacted every Cetus AMM pool, prompting Sui validators to initiate an emergency response. In a rare move, they froze $162 million mid-heist through a network-wide consensus override. Despite this, over $60 million had already been laundered through the Wormhole bridge to Ethereum and converted into nearly 21,000 ETH. The attacker, demonstrating deep familiarity with both the protocol and its underlying math, moved swiftly and efficiently, leaving few traces beyond blockchain breadcrumbs.
Several other Sui-based DeFi protocols, including Kriya, FlowX, and Turbo Finance, were found to be using the same flawed logic, with some quietly patching their code post-incident. Cetus and Inca Digital initially offered the attacker a $6 million whitehat bounty, which was ignored, leading to a public $5 million bounty for identification and arrest.
There remains an outstanding $5m bounty for the identification of the hacker and return of the funds.
Further Analysis
Cetus Protocol, a decentralized exchange built on the Sui blockchain, suffered a catastrophic exploit resulting in over $260 million in losses due to a vulnerability in a shared math library function, checked_shlw. The flaw allowed an attacker to manipulate a core liquidity calculation, using minimal input to mint excessive liquidity and drain funds across multiple AMM pools. Despite a swift emergency response by Sui validators that froze $162 million mid-heist, over $60 million was bridged to Ethereum and converted to ETH. The incident exposed broader vulnerabilities across the Sui DeFi ecosystem, with several protocols patching similar logic flaws post-exploit. Cetus has since offered a $5 million bounty for the identification and return of the stolen funds.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Vesu Lending Protocol Critical Liquidation Logic Rounding Error > > < < Nexo Smart Contract Exploited By Fake Uniswap V3 Pool
Sources/Further Reading
Cetus - Rekt News (Dec 31)
Cetus Protocol Homepage (Dec 31)
Rekt HQ - "$223 million from @CetusProtocol through broken math. Sui validators froze $162M mid-heist. Over $60M walked across Wormhole and never looked back. Was it an exploit - or just the math working as written?" - Twitter/X (Dec 31)
Zellic Co-Founder - "We're unable to share more details right now as it's an evolving situation, but the bug was out of scope for our audit. There will be a full analysis soon" - Twitter/X (Dec 31)
Attacker's SUI Address - SUI Vision (Dec 31)
Attack Transaction - SUI Vision (Dec 31)
Cetus Protocol $260M Exploit: Root Cause Analysis and Technical Breakdown - Verichains (Dec 31)
https://x.com/SlowMist_Team/status/1925521431875789198 (Dec 31)
https://x.com/SlowMist_Team/status/1926205313931210951 (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|