Cetus Protocol confirmed that there was a vulnerability in the open-source library used by its CLMM smart contract, which led to the theft of $223 million.
The decentralized exchange Cetus Protocol on the Sui public chain recently confirmed that a defect existed in an open-source library used by its Concentrated Liquidity Market Maker (CLMM) smart contract, which the attacker exploited to carry out an attack worth $223 million.
Cetus stated that the vulnerability originated from a method called checked_shlw in the inter_mate open-source library relied upon by its CLMM contract. This method incorrectly checked for integer overflow protection using 256 bits instead of the required 192 bits. This error allowed the attacker to inject abnormally high false liquidity, enabling repeated operations to extract funds from the pool with minimal tokens.
According to the full incident report, the attack method included using flash swaps to manipulate prices in the pool, bypassing overflow checks to inject large amounts of fake liquidity, and then repeatedly removing liquidity to cash out assets.
Cetus pointed out that there are rumors on social media linking this attack to the MAX_U64 mathematical error mentioned in previous audit reports, which is misleading. 'This vulnerability is unrelated to that error.'
Impact of the attack and initial response
According to the timeline released by Cetus, within 30 minutes after the attack occurred, its core CLMM liquidity pool was urgently closed to prevent further losses, but by that time, approximately $223 million had already been stolen, leading to significant fluctuations in the prices of multiple Sui ecosystem tokens.
About 1 hour and 20 minutes after the attack occurred, Sui validators began on-chain voting against the attacker's address. After more than 33% of the staking weight voted, the address controlled by the attacker (holding approximately $162 million) was 'frozen', meaning it could no longer conduct transactions on the Sui network.
This move has raised questions within the community, suggesting that it exposes the centralization risks of Sui. However, on-chain analyses indicate that the attacker had already swapped around $60 million for USDC, cross-chain to Ethereum, and further exchanged it for ETH.
Contract repairs and recovery measures
Cetus stated that the vulnerable contract has been fixed and upgraded, but has not been relaunched. The team is working with the Sui security team and auditing partners to re-verify all upgraded contracts and ensure their safety before restarting the CLMM liquidity pool.
At the same time, Cetus and blockchain data company Inca Digital issued a request to the attacker, hoping they would return the 20,920 ETH transferred to Ethereum and the funds frozen in the Sui wallet, promising that if the attacker returned the funds, no further legal or public actions would be taken.
As of now, Cetus has not received any responses from the attacker. The team subsequently issued a reward of $5 million for effective clues that could successfully identify and assist in capturing the attacker, with the prize to be distributed at the discretion of the Sui Foundation.
Community governance and fund recovery proposal
Cetus also proposed deciding whether to upgrade the protocol, unfreeze, and return the $162 million in funds through on-chain voting. Cetus stated:
"We cannot unilaterally decide whether this upgrade should be executed. We recommend initiating an on-chain vote, where core network participants, including validators and SUI stakers, collectively decide whether to restore and return user assets."
Next steps: stronger security system
Cetus acknowledged that despite significant investment in smart contract auditing and system security since its launch, this attack indicates that previous 'feelings of security' were false. 'We must do more.'
Next, Cetus will take the following strengthening measures:
Implement tighter real-time security monitoring
Introduce stronger risk management configurations
Expand testing coverage
Increase the frequency of audits and evaluate based on milestones
Implement a public and transparent code coverage reporting mechanism
Additionally, Cetus is working with ecosystem partners to develop a liquidity recovery plan, assist affected LP users, and coordinate with the community to decide whether to return funds through an upgrade.
Meanwhile, legal proceedings are ongoing, but the team still hopes to resolve this peacefully through white-hat means and has stated that a final notice will soon be sent to the attacker.
