Slow Fog: Analysis of the Cetus Theft Incident, 1 Token Leveraged 230 Million USD, SUI Foundation Assists in Freezing 162 Million

Original Title: "Slow Mist: Analysis of the Cetus $230 Million Theft Incident"

Original Authors: Victory, Lisa, Slow Mist Technology

Background

On May 22, according to community news, the liquidity provider Cetus on the SUI ecosystem was suspected to have been attacked, leading to a significant drop in liquidity pool depth, with multiple token trading pairs on Cetus experiencing declines, and the estimated loss exceeding $230 million. Subsequently, Cetus released an announcement stating: "An incident has been detected in our protocol, and for safety reasons, the smart contract has been temporarily paused. The team is currently investigating the incident. We will release further investigation statements soon."

After the incident occurred, the Slow Mist security team intervened immediately for analysis and issued a security alert. Below is a detailed analysis of the attack methods and the transfer of funds.

Related Information

The core of this incident is that the attacker carefully constructed parameters to cause an overflow while bypassing detection, ultimately allowing a very small amount of tokens to exchange for a massive amount of liquidity assets. The following is a detailed step-by-step analysis:

（Attack Timeline）

1. The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, with a price drop of 99.90%.

2. The attacker carefully selected a very narrow price range to open a liquidity position:

Lower Tick: 300000 (Price: 60,257,519,765,924,248,467,716,150)

Upper Tick: 300200 (Price: 60,863,087,478,126,617,965,993,239)

Price Range Width: Only 1.00496621%

3. Next comes the core of this attack, where the attacker claimed to add a massive liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 units, but due to a vulnerability, the system only charged 1 token A.

Let’s analyze why the attacker was able to exchange a massive amount of liquidity with just 1 token. The core reason lies in the overflow detection bypass vulnerability in the checked_shlw function. The attacker exploited this, causing the system to miscalculate the actual amount of haSUI needed. Since the overflow was not detected, the system misjudged the required amount of haSUI, allowing the attacker to exchange a large amount of liquidity assets with only a very small number of tokens, thus achieving the attack.

When the system calculates how much haSUI is needed to add such massive liquidity:

The key here is that the implementation of the checked_shlw function has serious flaws. In fact, any input value less than 0xffffffffffffffff << 192 will bypass the overflow detection. However, when these values are left-shifted by 64 bits, the result exceeds the representation range of u256, causing the high-order data to be truncated, resulting in a final value far less than the theoretical value. Consequently, the system will underestimate the required amount of haSUI in subsequent calculations.

· Error Mask: 0xffffffffffffffff << 192 = a very large value (approximately 2^256-2^192)

· Almost all inputs are less than this mask, bypassing overflow detection

· The real issue: when n >= 2^192, n << 64 will exceed the u256 range and be truncated

The intermediate value constructed by the attacker liquidity * sqrtpricediff = 6277101735386680763835789423207666908085499738337898853712:

· Less than the error mask, bypassing overflow detection

· But after left-shifting by 64 bits, it exceeds the maximum value of u256, causing the overflow part to be truncated

· This leads to the final calculation result being approximately less than 1, but since it is rounded up, the quotient equals 1

4. Finally, the attacker removed liquidity and obtained massive token profits:

· First removal: Obtained 10,024,321.28 haSUI

· Second removal: Obtained 1 haSUI

· Third removal: Obtained 10,024,321.28 haSUI

5. The attacker repaid the flash loan, netting approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, completing the attack.

Project Team's Fixes

After the attack, Cetus released a patch. The specific fix code can be referenced at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.

The fixed checked_shlw function is as follows:

Fix Explanation: The erroneous mask 0xffffffffffffffff << 192 was corrected to the correct threshold 1 << 192, and the judgment condition was changed from n > mask to n >= mask to ensure that when left-shifting by 64 bits may cause an overflow, it can correctly detect and return the overflow flag.

MistTrack Analysis

According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 profited approximately $230 million, including various assets such as SUI, vSUI, USDC, etc.

We found that the attacker had prepared the Gas Fee two days prior and attempted once before the attack, but failed:

After profiting, the attacker transferred part of the funds such as USDC, SOL, and suiETH through cross-chain bridges like Sui Bridge, Circle, Wormhole, and Mayan to the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Among them, 5.2341 WBNB was transferred to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Next, the attacker deposited assets worth $10 million into Suilend:

The attacker also transferred 24,022,896 SUI to the new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, which has not yet been transferred out:

Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, $162 million of the stolen funds on SUI have been successfully frozen.

(https://x.com/CetusProtocol/status/1925567348586815622)

Next, we used the on-chain anti-money laundering and tracking tool MistTrack to analyze the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b that received cross-chain funds. This address received 5.2319 BNB on BSC and has not yet transferred out:

This address received 3,000 USDT, 40,880,000 USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum. Among them, USDT, USDC, and SOL were exchanged for ETH through coW Swap, Para Swap, etc.:

Next, this address transferred 20,000 ETH to the address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, which has not yet transferred out:

Currently, the balance of this address on Ethereum is 3,244 ETH:

MistTrack has added the above-related addresses to the malicious address database, and we will continue to monitor the address balances.

Summary

This attack demonstrates the power of mathematical overflow vulnerabilities. The attacker precisely calculated and selected specific parameters, exploiting the defect in the checked_shlw function to obtain liquidity worth billions at the cost of just 1 token. This is an extremely sophisticated mathematical attack, and the Slow Mist security team recommends that developers strictly verify all mathematical function boundary conditions in smart contract development.