The cause and impact of the attack on Cetus are not yet clear. Let's first take a look at the code security audit of Cetus.
As laymen, we cannot understand the specific technologies, but we can understand the audit summary.
➤ Audit by Certik
From the above, Certik's code security audit of Cetus found only 2 minor risks, which have been resolved. There were also 9 informational risks, 6 of which have been resolved.
Certik gave an overall score of 83.06 and a code audit score of 96.
➤Other audit reports of Cetus (SUI chain)
There are 5 code audit reports listed on Cetus' Github, excluding Certik's audit. I guess the project owner knows that Certik's audit is just a formality, so they didn't include this report.
Cetus supports both Aptos and SUI chains, and these five audit reports come from MoveBit, OtterSec, and Zellic. MoveBit and OtterSec audited Cetus’ codes on Aptos and SUI chains respectively, and Zellic should also audit the codes on SUI chain.
Because the victim of this attack was Cetus on the SUI chain, we will only look at the audit report of Cetus on the SUI chain.
❚ Audit report from MoveBit
Report upload time to Github: 2023-04-28
If we don’t understand the specific audit content, we can find a table like this to see the number of risk issues at each level listed in the report and their resolution status.
MoveBi's audit report on Cetust found a total of 18 risk issues, including 1 fatal risk issue, 2 major risk issues, 3 medium risk issues, and 12 minor risk issues, all of which have been resolved.
There are more issues than Certik found, and Cetus has fixed all of them.
❚ Audit report from OtterSec
Report upload time to Github: 2023-05-12
OtterSec's audit report on Cetus found 1 high-risk issue, 1 medium-risk issue, and 7 informational risks. Because the report table does not directly show the resolution of the risk issues, I will not take a screenshot.
Among them, high-risk issues and medium-risk issues have been resolved. As for informational risk issues, 2 have been resolved, 2 have been patched, and there are 3 more. After a rough study, these 3 are:
•The inconsistency between Sui and Aptos version codes may affect the price calculation accuracy of the liquidity pool.
• Lack of suspended status verification. When swapping, there is no verification whether the liquidity pool is in a suspended state. If the pool is suspended, it may still be tradeable.
•Converting u256 type to u64 type will cause overflow if the value exceeds MAX_U64, which may cause calculation errors in large transactions.
It is not clear whether the attack is related to the above issues.
❚ Audit report from Zellic
Report upload time to Github: April 2025
Zellic's audit report on Cetus found three information risks, none of which were fixed:
• A function authorization issue that allows anyone to call to deposit fees into any partner account. This seems to be risk-free, as it is a deposit, not a withdrawal. So Cetus has not fixed it yet.
• There is a deprecated function that is still referenced, the code is redundant, and it seems to be risk-free, but the code is not standardized enough.
• A UI rendering issue in NFT display data. It could have used character type, but Cetus used the more complex TypeName data type in Move language. This is not a big problem, and Cetus may develop other features for NFT in the future.
Overall, Zellic found three ozone layer sub-issues, which are basically risk-free and belong to the code standardization aspect.
We need to remember these three auditing agencies: MoveBit, OtterSec, and Zellic. Because most of the auditing agencies on the market are good at EVM auditing, and these three auditing agencies are Move language code auditing agencies.
➤ Audit and security level (taking new DEX as an example)
First of all, projects that have not been audited have certain Rug risks. After all, if they are not willing to pay for the audit, it is hard to believe that they have the desire to operate in the long term.
Secondly, the Certik audit is actually a "favor audit". Why is it called a "favor audit"? Certik has a very close cooperation with coinmarketcap. There is an audit icon on the coinmarketcap project page. Clicking it will enter Certik's navigation platform skynet.
As a platform under Binance, coinmarketcap indirectly established a cooperative relationship between Certik and Binance. In fact, Binance and Certik have always had a good relationship, so most projects that want to be listed on Binance will seek Certik's audit.
Therefore, if a project seeks an audit from Certik, it is likely to want to be listed on Binance.
However, history has proven that projects audited only by Certik have a high probability of being attacked, such as DEXX. Some projects have even been FUG, such as ZKasino.
Of course, Certik also provides other security assistance. In addition to code auditing, Certik will scan websites, DNS, etc. and provide some security information beyond code auditing.
Third, many projects will seek one or more other high-quality audit entities to conduct code security audits.
Fourth, in addition to professional code audits, some projects also launch bug bounty programs and audit competitions to pool ideas and eliminate vulnerabilities.
Because the products attacked this time are DEX products, let’s take some newer DEX as examples:
---------------------------
✦✦✦GMX V2 was audited by five companies including abdk, certora, dedaub, guardian, and sherlock, and launched a vulnerability bounty program with a maximum reward of US$5 million for each vulnerability.
✦✦✦DeGate, which was audited by 35 companies including Secbit, Least Authority, and Trail of Bits, launched a vulnerability bounty program with a maximum reward of $1.11 million per item.
✦✦✦DYDX V4 was audited for code security by Informal Systems, which also launched a bug bounty program with a maximum reward of $5 million per item.
✦✦✦Hyperliquid conducted a code security audit by Hyperliquid and launched a vulnerability bounty program with a maximum reward of US$1 million for a single item.
✦✦UniversalX is audited by Certik and SlowMist respectively.
✦GMGN is quite special. No code audit reports were found. It only has a bug bounty program with a maximum reward of $10,000 per item.
➤Written at the end
After reviewing the code security audits of these DEXs, we can find that even DEXs like Cetus that are jointly audited by three auditing agencies can still be attacked. Multi-subject audits, combined with bug bounty programs or audit competitions, are relatively secure.
However, for some new Defi protocols, there are still problems that have not been fixed in the code audit, which is why Brother Feng pays special attention to the code audit of new Defi protocols.