Background
On May 22, according to community messages, Cetus, a liquidity provider on the SUI ecosystem, was suspected of being attacked. The liquidity pool depth drastically decreased, and multiple token trading pairs on Cetus experienced declines, with estimated losses exceeding 230 million USD. Later, Cetus released a statement saying: “An incident was detected in our protocol, and for security reasons, the smart contract has been temporarily paused. The team is currently investigating the incident. We will release further updates soon.”
After the incident, the SlowMist security team immediately intervened to analyze the situation and released a security alert. Below is a detailed analysis of the attack methods and fund transfer situation.
https://x.com/CetusProtocol/status/1925515662346404024
Related Information
One of the attack transactions: https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x
Attacker address: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06
Attacked pool address: 0x871d8a227114f375170f149f7e9d45be822dd003eba225e83c05ac80828596bc
Involved tokens: haSUI / SUI
Attack Analysis
The core of this incident lies in the attacker carefully constructing parameters to cause an overflow, while bypassing detection, and ultimately using a minimal token amount to exchange for massive liquidity assets. Below is a step-by-step breakdown:
Step 1
The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to crash from 18,956,530,795,606,879,104 to 18,425,720,184762886, a price drop of 99.90%.
Step 2
The attacker carefully selected a very narrow price range to set up a liquidity position:
- Tick lower bound: 300000 (Price: 60,257,519,765,924,248,467,716,150)
- Tick upper bound: 300200 (Price: 60,863,087,478,126,617,965,993,239)
- Price range width: only 1.00496621%
Step 3
Next, the core of the attack took place. The attacker declared to add a huge liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 units, but due to a vulnerability, the system only charged 1 token A.
Step 4
Let’s analyze why the attacker was able to exchange a huge liquidity asset for just 1 token. The core reason is that the checked_shlw function in get_delta_a had an overflow bypass vulnerability. The attacker exploited this flaw, causing the system to miscalculate the actual amount of haSUI needed. Since the overflow was not detected, the system incorrectly judged the required amount of haSUI, allowing the attacker to exchange a minimal amount of tokens for a large liquidity asset, thereby executing the attack.
When the system calculates how much haSUI is needed to add such a huge liquidity:
The key issue lies in the implementation of the checked_shlw function. In fact, any input value less than 0xffffffffffffffff << 192 will bypass the overflow detection. However, when these values are left-shifted by 64 bits, the result will exceed the u256 representation range, and the higher bits are truncated, resulting in a value much smaller than the theoretical value. As a result, the system will underestimate the required haSUI amount in subsequent calculations.
Error mask: 0xffffffffffffffff << 192 = a very large value (approximately 2^256 - 2^192). Almost all inputs are smaller than this mask, bypassing overflow detection.
Real problem: When n >= 2^192, n << 64 will exceed the u256 range and be truncated.
The intermediate value constructed by the attacker liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:
- Smaller than the error mask, bypassing overflow detection
- But after shifting left by 64 bits, it exceeds the u256 maximum value, causing the overflow part to be truncated
- Leading to a final result of approximately less than 1, but due to rounding up, the quotient calculated equals 1
Step 5
Finally, the attacker removed liquidity, gaining a massive token profit:
- First removal: 10,024,321.28 haSUI
- Second removal: 1 haSUI
- Third removal: 10,024,321.28 haSUI
Step 6
The attacker repaid the flash loan, netting a profit of about 10,024,321.28 haSUI and 5,765,124.79 SUI, completing the attack.
Project Fix
After the attack, Cetus released a fix. The specific fix code can be found at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.
The fixed checked_shlw function is as follows:
Fix description:
- Corrected the erroneous mask 0xffffffffffffffff << 192 to the correct threshold 1 << 192
- Corrected the condition from n > mask to n >= mask
- Ensured that when left-shifting by 64 bits may cause overflow, it is correctly detected and an overflow flag is returned.
MistTrack Analysis
According to the analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 profited approximately 230 million USD, including various assets such as SUI, vSUI, USDC, and others.
We found that the attacker had prepared the Gas Fee two days before and made an attempt before the attack, but failed:
After profiting, the attacker transferred some funds like USDC, SOL, suiETH through cross-chain bridges such as Sui Bridge, Circle, Wormhole, and Mayan to the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:
Among them, 5.2341 WBNB was cross-chained to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:
Next, the attacker deposited 10 million USD worth of assets into Suilend:
The attacker also transferred 24,022,896 SUI to the new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, which has not yet been transferred out:
Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, 162 million USD of the stolen funds on SUI have been successfully frozen.
https://x.com/CetusProtocol/status/1925567348586815622
Next Steps
Next, we used the on-chain anti-money laundering and tracking tool MistTrack to analyze the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b receiving cross-chain funds.
This address received 5.2319 BNB on BSC, which has not been transferred out:
This address received 3,000 USDT, 40.88 million USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum. USDT, USDC, and SOL were swapped for ETH via coW Swap, ParaSwap, and others:
Next, the address transferred 20,000 ETH to address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, and it has not been transferred out:
Currently, the address’s balance on Ethereum is 3,244 ETH:
MistTrack has added the above addresses to the malicious address list and will continue to monitor the address balances.
Summary
This attack demonstrates the power of mathematical overflow vulnerabilities. The attacker, by carefully calculating specific parameters and exploiting the checked_shlw function flaw, gained liquidity worth billions for the cost of 1 token. This is an extremely precise mathematical attack, and the SlowMist security team recommends developers strictly verify all boundary conditions in mathematical functions when developing smart contracts.
