Attackers operated a critical overflow error in the logic of the automated market maker of CETUS protocol, which led to $ 223 million in user losses, according to a post-mortem from Dedaub.
“This incident represents one of the most important Defi exploits in recent history, caused by a subtle but critical error in” overflow “protection,” said Blockchain security company Dedaub in his report.
Dedaub explained that the error included a “overflow” in mathematics that was used by the automated market maker of Cetus, where a mis -witte condition could not process the most important bits of large numerical inputs and “the intended result did not produce.”
Instead of rejecting oversized values, the system cut them off, making the output seem much smaller than it should have.
This allowed the attacker to deposit only one token, while the protocol wrongly credited them with a huge liquidity position. They then used that position to absorb large quantities of real assets from the Polish.
According to Dedaub, a similar vulnerability was marked by blockchain security company Ottersec at the beginning of 2023 during an audit of the codebase of the protocol when it was deployed on APTOS.
After the code was later transferred to the SII network, the underlying problem still remained. Although developers tried to implement guarantees, the overflow control was poor, allowing the same type of exploit to slip unnoticed.
“This incident shows why Edge cases in Defi cannot be ignored,” warned Dedaub, and added that complex mathematics to be carefully revised and tested in decentralized financing. It urged developers to manually verify the overflow protection, especially when using large numbers or advanced mathematics.
Cetus-Expoit caused sale
Cetus, a leading Dex on the SII network, was hacked in the early hours of 22 May, which so far caused one of the biggest losses in the Sui -Ecosystem. First investigations claimed that the incident came from an “oracle bug”.
The exploit led to more than $ 223 million in losses in various liquidity pools, which caused a wide sale in related tokens, including Sui and Cetus, which fell more than 40% in the hours after the violation. Memecoins and smaller market capitokes from the network saw even steeper losses, with some troughs of more than 90%.
In response, the SUI Foundation coordinated with validators to freeze around $ 163 million of the stolen funds. Cetus has also announced a premium of $ 5 million for information that the controller identifies.
