Cetus Protocol

In May 2025, Cetus Protocol, the largest decentralized exchange (DEX) on the Sui blockchain, suffered a major exploit resulting in a $223 million loss. The attacker exploited a flaw in the protocol’s shared math library contract, specifically in the checked_shlw function used for integer overflow checks in liquidity calculations. The vulnerability arose from an incorrect comparison in the overflow check, where the function compared values against 0xFFFFFFFFFFFFFFFF << 192 instead of 0x1 << 192, allowing certain values to pass the check while causing an overflow. The attacker used a flash loan and opened a position with a narrow tick range ([300000, 300200]), triggering an overflow in liquidity calculations that assigned a single deposited token an inflated liquidity value. This enabled the attacker to drain $223 million from the DEX across multiple transactions. Cetus was offline for 17 days, resuming operations on June 9, 2025, after recovering $162 million of the stolen funds. The Sui Foundation provided a loan to compensate affected users on May 28, restoring liquidity pools to 85-99% of their original levels. The attacker, unresponsive to negotiation attempts, laundered funds through Tornado Cash. The protocol’s total value locked (TVL) dropped from $284 million to $124 million, and the CETUS token lost 44% of its value over the month. Cetus is pursuing legal action against the attacker. The incident, missed by prior audits, underscores the risks of mathematical errors in smart contracts and the need for rigorous security testing, particularly for bit-shift operations in the Move programming language.