SlowMist: Analysis of the Cetus Hack, One Token Manipulated for $230 Million

Original Article Title: "SlowMist: Analysis of the $230M Theft Incident of Cetus"

Original Article Authors: Victory, Lisa, SlowMist Technology

Background

On May 22, according to community reports, Cetus, a liquidity provider on the SUI ecosystem, was suspected of being attacked. The liquidity pool depth experienced a significant drop, leading to various token pairs on Cetus seeing a decline. The estimated loss exceeds $230 million. Subsequently, Cetus released a statement stating: "We have detected an incident in our protocol. As a precaution, the smart contract has been temporarily paused. Currently, the team is conducting an investigation into the incident. We will soon release further investigation statements."

After the incident, the SlowMist security team promptly intervened for analysis and issued a security advisory. The following is a detailed analysis of the attack method and fund transfer situation.

(https://x.com/CetusProtocol/status/1925515662346404024)

Relevant Information

One of the Attack Transactions: https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x

Attacker's Address: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06

Attacked Pool Address: 0x871d8a227114f375170f149f7e9d45be822dd003eba225e83c05ac80828596bc

Involved Tokens: haSUI / SUI

Attack Analysis

The core of this incident is that the attacker, through carefully constructed parameters, triggered an overflow that bypassed detection. Ultimately, they were able to exchange a minimal amount of tokens for a substantial amount of liquidity assets. The following is a detailed step-by-step analysis:

(Flash Loan Attack Timeline)

1. The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184,762,886, representing a price drop of 99.90%.

2. The attacker carefully selected an extremely narrow price range to open a liquidity position:

Tick Lower Bound: 300,000 (Price: 60,257,519,765,924,248,467,716,150)

Tick Upper Bound: 300,200 (Price: 60,863,087,478,126,617,965,993,239)

Price Range Width: Only 1.00496621%

3. The core of this attack followed, with the attacker claiming to add a massive liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 units, but due to a vulnerability, the system only deducted 1 token A.

Let's analyze why the attacker was able to exchange a massive amount of liquidity for just 1 token. The key reason lies in the overflow detection bypass vulnerability in the get_delta_a function. The attacker exploited this to introduce a significant bias in the system's calculation of how much haSUI to add. With the overflow undetected, the system miscalculated the required haSUI amount, allowing the attacker to exchange minimal tokens for a large amount of liquidity assets, thus executing the attack.

When the system calculated how much haSUI was needed to add such a vast amount of liquidity:

The critical flaw lies in the implementation of the checked_shlw function. In reality, any input value below 0xffffffffffffffff <<192 will bypass the overflow check. However, when these values are left-shifted by 64 bits, the result exceeds the u256 range, truncating the high-order bits and resulting in a value much smaller than expected. Consequently, the system underestimates the required haSUI amount in subsequent calculations.

· Error Mask: 0xffffffffffffffff << 192 = Very large number (about 2^256-2^192)

· Almost all inputs are smaller than this mask, bypassing overflow check

· Real issue: When n >= 2^192, n << 64 will exceed the u256 range and be truncated

Attacker's crafted intermediate value liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:

· Smaller than the error mask, bypassing overflow check

· But will exceed the u256 max value after left shifting 64 bits, causing the overflow part to be truncated

· Resulting in a final calculated result of approximately less than 1, but due to ceiling rounding, the quotient ends up being 1

4. Finally, the attacker removes liquidity and gains a significant token reward:

· First removal: Gains 10,024,321.28 haSUI tokens

· Second removal: Gains 1 haSUI token

· Third removal: Gains 10,024,321.28 haSUI tokens

5. The attacker repays the flash loan, with a net profit of approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, completing the attack.

Project Team's Fix Status

After the attack, Cetus released a fix patch. Specific fix code can be found at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.

The updated checked_shlw function is as follows:

Fix description: Corrected the erroneous mask 0xffffffffffffffff << 192 to the correct threshold 1 << 192, changed the condition from n > mask to n >= mask to ensure proper detection and return of the overflow flag when a left shift of 64 bits could result in overflow.

MistTrack Analysis

According to the analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 made a profit of approximately 230 million USD, including various assets such as SUI, vSUI, USDC, and more.

We found that the attacker had prepared Gas Fees two days prior, and then made an attempt before the attack but failed:

After profiting, the attacker cross-chain transferred some funds such as USDC, SOL, suiETH to an EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b using cross-chain bridges like Sui Bridge, Circle, Wormhole, Mayan:

Among these, 5.2341 WBNB was cross-chain transferred to BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Subsequently, the attacker deposited assets worth 10 million USD into Suilend:

The attacker also transferred 24,022,896 SUI to a new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, which has not been withdrawn yet:

Fortunately, according to Cetus, in collaboration with the SUI Foundation and other ecosystem members, approximately 162 million USD of the stolen funds on SUI have been successfully frozen.

(https://x.com/CetusProtocol/status/1925567348586815622)

Next, we used the on-chain anti-money laundering and tracking tool MistTrack to analyze the address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b that received cross-chain funds on the EVM. This address received 5.2319 BNB on BSC and has not been withdrawn yet:

This address received 3,000 USDT, 40.88 million USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum. Among these, USDT, USDC, and SOL were exchanged for ETH through coW Swap, ParaSwap, and other platforms:

Subsequently, this address transferred 20,000 ETH to the address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16 and has not yet withdrawn:

The current balance of this address on Ethereum is 3,244 ETH:

MistTrack has added the above related addresses to the malicious address library, and we will continue to monitor the balances of these addresses.

Summary

This attack demonstrates the power of a integer overflow vulnerability. The attacker precisely calculated and selected specific parameters to exploit the flaw in the checked_shlw function, obtaining billions of dollars in liquidity at the cost of one token. This was an extremely sophisticated mathematical attack, and the SlowMist security team recommends that developers rigorously validate all boundary conditions of mathematical functions in smart contract development.

Original Article Link