Post-mortem analysis of the Cetus hack unveils an overflow bug as the catalyst for the $223 million exploit.

Post-mortem analysis of the Cetus hack unveils an overflow bug as the catalyst for the $223 million exploit.

In a significant blow to the decentralized finance (DeFi) sector, attackers exploited a critical overflow vulnerability in Cetus Protocol's automated market maker logic, causing losses amounting to $223 million for users. This assertion was made by blockchain security firm Dedaub in a recent post-mortem report.

Dedaub explained that the overflow Issue stemmed from an error in the mathematics used by Cetus's automated market maker. A miswritten condition failed to handle large numerical inputs correctly, resulting in a failure to reject oversized values. Instead, the system truncated these inputs, making the output values appear much smaller than they actually were. This allowed the attacker to deposit a minimal amount of tokens while incorrectly receiving an outsized liquidity position.

This position was then leveraged to withdraw substantial real assets from the pools on Cetus. Notably, Dedaub noted that a similar vulnerability had been identified by Ottersec in early 2023 during an audit of the protocol's codebase when it was deployed on Aptos. However, after the code was moved to the Sui network, the flaw remained unresolved or inadequately fixed, resulting in the exploit on Sui.

The exploit triggered a widespread sell-off of related tokens, including SUI and CETUS, which plummeted by over 40% within hours of the breach. Memecoins and smaller market cap tokens native to the network experienced even steeper losses, with some plunging by over 90%.

In response to the losses, the Sui Foundation collaborated with validators to freeze approximately $163 million of the stolen funds. Cetus also announced a $5 million bounty for information leading to the identification of the perpetrators. The incident serves as a reminder of the importance of meticulous oversight and testing for edge cases in the DeFi landscape, especially when dealing with complex math involving large numbers or advanced calculations, according to Dedaub.

1. The exploitation of Cetus Protocol's DeFi sector was a consequence of an overflow vulnerability in its automated market maker logic, a mathematical error identified by Dedaub in a post-mortem report.
2. The flaw in Cetus's system, a miswritten condition that failed to handle large numerical inputs properly, led to the incorrect reception of outsized liquidity positions for attackers.
3. This exploit enabled the attackers to withdraw substantial real assets from Cetus's pools, leading to a sell-off of related tokens such as SUI and CETUS, which plummeted by over 40% and 90% respectively.
4. Cybersecurity firm Dedaub emphasized the importance of thorough oversight and testing for edge cases in the DeFi landscape, particularly when dealing with complex mathematics and large numbers.
5. In an effort to recover stolen funds and identify the perpetrators, the Sui Foundation collaborated with validators to freeze approximately $163 million of the stolen funds, with Cetus offering a $5 million bounty for information leading to their identification.

Read also: