Sui DEX Cetus Drained Exploiting Flawed Open-Source Liquidity Overflow Check

Briefing

The Cetus Protocol, a Concentrated Liquidity Market Maker (CLMM) on the Sui Network, was subjected to a catastrophic exploit that drained its liquidity pools, resulting in a loss of approximately $223 million in user assets. The primary consequence was a systemic liquidity shock across the Sui ecosystem, causing a sharp devaluation of multiple native tokens and a temporary halt of protocol operations. The incident is quantified by the fact that the Sui Foundation, in coordination with validators, was able to successfully freeze $162 million of the stolen funds on-chain, but the remaining $61 million was successfully bridged to Ethereum and converted to ETH.

Context

The core risk factor was the reliance on an open-source library for critical arithmetic operations within the complex logic of the Concentrated Liquidity Market Maker model. While the Move programming language provides inherent overflow protections, bit shift operations are intentionally exempted, necessitating a custom safeguard that was incorrectly implemented. This created a latent, high-severity vulnerability class where faulty input validation could lead to state corruption and asset loss, despite the protocol having undergone multiple security audits.

Analysis

The attacker initiated the exploit using a flash swap to manipulate pool prices, then leveraged a subtle flaw in the checked_shlw function of a third-party library. This function, intended to prevent integer overflow during bit shifts, used an incorrect constant for its validation check, allowing an attacker-supplied liquidity value to pass the check. This value then caused a Most Significant Bits (MSB) truncation during the subsequent liquidity calculation, resulting in the protocol assigning an artificially massive liquidity position to the attacker for a minimal token deposit (e.g. one unit). The attacker immediately used this phantom liquidity to remove a proportional amount of real assets from the pool, effectively draining the funds in a series of transactions.

Parameters

• Total Funds Drained ∞ $223 Million – The estimated loss from the CLMM pools on the Cetus Protocol.
• Assets Frozen On-Chain ∞ $162 Million – The amount of stolen funds successfully blacklisted by Sui validators.
• Unrecovered Funds Bridged ∞ $61 Million – The portion of assets successfully moved to Ethereum and converted to ETH.
• Vulnerability Type ∞ Integer Overflow Check Flaw – A subtle error in the logic of the checked_shlw function in a third-party library.

Outlook

Protocols utilizing complex AMM logic, particularly those built on newer virtual machines or languages like Move, must immediately conduct a zero-tolerance review of all custom arithmetic and external library dependencies. The successful on-chain freezing of $162 million by Sui validators introduces a critical discussion on the trade-off between decentralized immutability and emergency governance-based asset recovery, setting a precedent for centralized intervention on public networks. The industry standard must evolve beyond traditional audits to include formal verification of low-level bitwise operations and a deeper, adversarial review of all third-party code.

Verdict

This exploit confirms that complex mathematical logic and subtle bitwise errors in core smart contract libraries remain the highest-leverage attack vector, overriding the security assurances of even recently audited protocols.

concentrated liquidity, automated market maker, integer overflow, smart contract flaw, open source library, bitwise truncation, liquidity pool drain, flash swap attack, on-chain censorship, validator governance, cross chain bridge, decentralized exchange, asset freezing, Sui network, Move language, price manipulation, security audit, post mortem analysis, token value collapse, systemic risk Signal Acquired from ∞ halborn.com