A blockchain security firm has released a post – mortem report on the Cetus decentralized exchange hack. Here are the details:
Hack Overview: On May 22, 2025, the Cetus protocol on the Sui blockchain was hacked, resulting in the theft of over $223 million in user funds.
Cause of the Hack: The root cause of the attack was the exploitation of the liquidity parameters used by the Cetus automated market maker (AMM). The hackers took advantage of a flaw in the most significant bits (MSB) check. This allowed them to manipulate the values of the liquidity parameters and establish large positions with minimal token input. Specifically, the flaw was in the checked_shlw function in the get_delta_a function. The attackers constructed parameters carefully to cause an overflow that bypassed detection. As a result, the system miscalculated the amount of tokens required, enabling the attackers to obtain a large amount of liquidity assets with very few tokens.
Attack Process: The attackers first borrowed 10.02 million haSUI through a flash loan, causing the price of the haSUI/SUI pool to plummet by 99.9%. Then, they added liquidity in the tick value range of 300,000 – 300,200, which is a 1% price range. They claimed to add huge liquidity (more than 10 to the 27th power), but due to the encoding error of the checked_shlw function, the contract only charged them 1 haSUI. Finally, the attackers removed the liquidity in three installments, obtaining 20.04 million haSUI and more than 5.76 million SUI. After repaying the flash loan, they made a net profit of over $230 million.
Post – Hack Actions: After the incident, Cetus fixed the code by correcting the threshold from 0xffffffffffffffff<<192 to the correct value of 1<<192, changing the judgment condition from n>mask to n>=mask, and ensuring that the overflow flag is correctly detected and returned when a left – shift of 64 bits may cause an overflow. The Sui network validators froze most of the stolen assets, with $163 million of the $223 million frozen on the same day as the hack.
The release of this report helps the industry better understand the causes and processes of the Cetus hack, providing important references for preventing similar attacks in the future.
Related topic:
