Author:Victory & Lisa
Editor: Liz
background
On May 22, according to community news, Cetus, the liquidity provider in the SUI ecosystem, was suspected of being attacked, the depth of the liquidity pool dropped significantly, and multiple token trading pairs on Cetus fell, with an estimated loss of more than US$230 million. Subsequently, Cetus issued an announcement stating: "An incident was detected in our protocol. For safety reasons, the smart contract has been temporarily suspended. The team is currently investigating the incident. We will soon issue a further investigation statement."
After the incident, the SlowMist security team immediately intervened to analyze the incident and issued a security alert. The following is a detailed analysis of the attack methods and fund transfer.
(https://x.com/CetusProtocol/status/1925515662346404024)
Related information
One of the attack transactions: https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x
Attacker address: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06
Attacked pool address: 0x871d8a227114f375170f149f7e9d45be822dd003eba225e83c05ac80828596bc
Tokens involved: haSUI / SUI
Attack Analysis
The core of this incident is that the attacker carefully constructed parameters to cause overflow but bypass detection, and ultimately used a very small amount of tokens to exchange for a huge amount of liquid assets. The following is an analysis of the specific steps:
(Attack sequence diagram)
1. The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, a price drop of 99.90%.
2. The attacker carefully selected an extremely narrow price range to open a liquidity position:
Tick lower limit: 300000 (price: 60,257,519,765,924,248,467,716,150)
Tick limit: 300200 (price: 60,863,087,478,126,617,965,993,239)
Price range width: only 1.00496621%
3. Next comes the core of the attack. The attacker claims to add 10,365,647,984,364,446,732,462,244,378,333,008 units of huge liquidity, but due to a loophole, the system only collected 1 token A.
Let's analyze why the attacker was able to exchange a huge amount of liquidity with 1 token. The core reason is that there is an overflow detection bypass vulnerability in the checked_shlw in the get_delta_a function. The attacker took advantage of this and caused a serious deviation in the system's calculation of how much haSUI actually needed to be added. Because the overflow was not detected, the system misjudged the number of haSUI required, resulting in the attacker only needing a few tokens to exchange a large amount of liquid assets, thus achieving the attack.
When the system calculates how much haSUI is needed to add such huge liquidity:
The key here is that the implementation of the checked_shlw function is seriously flawed. In fact, any input value less than 0xffffffffffffffff << 192 will bypass the overflow check. However, when these values are left-shifted by 64 bits, the result exceeds the representation range of u256, and the high-order data is truncated, resulting in a result that is much smaller than the theoretical value. As a result, the system underestimates the number of haSUI required in subsequent calculations.
Error mask: 0xffffffffffffffff << 192 = a very large value (approximately 2^256-2^192)
Almost all inputs are smaller than this mask, bypassing overflow detection
Real problem: when n >= 2^192, n<<64 will exceed the range of u256 and will be truncated
The attacker’s intermediate value liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:
Less than error mask, bypassing overflow detection
However, after shifting left by 64 bits, the maximum value of u256 will be exceeded, causing the excess part to be truncated.
The final calculation result is less than 1, but because it is rounded up, the quotient is equal to 1.
4. Finally, the attacker removes the liquidity and obtains huge token gains:
First removal: 10,024,321.28 haSUI obtained
Second removal: Get 1 haSUI
Third removal: 10,024,321.28 haSUI obtained
5. The attacker returns the flash loan and makes a net profit of approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, and the attack is complete.
Project repair status
After the attack, Cetus released a patch. The specific patch code can be found at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.
The fixed checked_shlw function is as follows:
Repair instructions:
Corrected incorrect mask 0xffffffffffffffff << 192 to correct threshold 1 << 192
Corrected the judgment condition from n > mask to n >= mask
Ensure that when a left shift of 64 bits could cause overflow, the overflow flag is correctly detected and returned
MistTrack Analysis
According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 made a profit of approximately US$230 million, including SUI, vSUI, USDC and other assets.
We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:
After making a profit, the attacker transferred part of the funds such as USDC, SOL, and suiETH to the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b through cross-chain bridges such as Sui Bridge, Circle, Wormhole, and Mayan:
Among them, 5.2341 WBNB cross-chain to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:
The attacker then deposited $10 million worth of assets into Suilend:
The attacker also transferred 24,022,896 SUI to the new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, but has not yet transferred it out:
Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, the stolen funds of US$162 million on SUI have been successfully frozen.
(https://x.com/CetusProtocol/status/1925567348586815622)
Next, we use the on-chain anti-money laundering and tracking tool MistTrack to analyze the address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b on the EVM that receives cross-chain funds.
This address received 5.2319 BNB on BSC and has not yet transferred it out:
The address received 3,000 USDT, 40.88 million USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum.
Among them, USDT, USDC and SOL are exchanged for ETH through CoW Swap, ParaSwap, etc.:
Next, the address transferred 20,000 ETH to the address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, but has not yet transferred it out:
The current balance of this address on Ethereum is 3,244 ETH:
MistTrack has added the above-mentioned addresses to the malicious address database. At the same time, we will continue to monitor the address balances.
Summarize
This attack demonstrates the power of math overflow vulnerabilities. The attacker selected specific parameters through precise calculations and exploited the defects of the checked_shlw function to obtain billions of liquidity at the cost of 1 token. This is an extremely sophisticated math attack, and the SlowMist Security Team recommends that developers strictly verify the boundary conditions of all math functions in smart contract development.