Cetus Protocol Hack: Overflow Bug Leads to $223M Loss

On May 22, 2025, Cetus Protocol, a major DEX on the Sui blockchain, suffered a catastrophic exploit. A subtle arithmetic overflow bug allowed an attacker to drain ~$223 million, making it one of the largest DeFi hacks of the year.

The attacker used flashloans to borrow large amounts of tokenA and opened a position within a tightly defined price range — [300000, 300200]. By adding just 1 unit of tokenA, they were able to mint an excessive amount of liquidity.

At the core of the issue was a faulty function: get_delta_a, which calculates how much of tokenA is required to mint liquidity. The function used a flawed checked_shlw operation that failed to reject values exceeding a 192-bit limit, leading to an overflow. This caused calculations to reset to a much smaller number, letting the attacker supply just 1 token but receive liquidity worth millions.

After successfully minting and withdrawing the liquidity, the attacker repaid the flashloan and kept the profit. They then bridged ~$62M USDC to Ethereum via Wormhole and swapped it for ETH. The rest of the funds (~$162M) were frozen by Sui validators before they could be moved.

What Went Wrong?

The vulnerability lay in unchecked arithmetic logic. Specifically, the overflow occurred when multiplying and shifting large integer values. Because DeFi protocols often deal with massive numbers for precision, failing to handle overflows can be a ticking time bomb.

Cetus’s bug let attackers bypass safety checks and exploit the pool repeatedly. It’s a classic example of how a single line of faulty logic can collapse an entire protocol.

Could This Have Been Prevented?

Yes. The bug could’ve been caught with proper input validation, overflow checks, and rigorous external audits. Understanding how large integers behave at the compiler level is essential for DeFi development but often overlooked.

#MarketRebound #cryptonewstoday #Cryptonewsdaily #BinanceSquareTalks #kosheunti'scontent.