Full Report
Cetus, an AMM on Sui, was exploited for over $223M in losses. Token prices on Sui dropped by 80%. The technical parts of the bug are pretty interesting. The AMM has tick concentration math, which is notoriously complicated to do correctly. In the function get_delta_a, there was a chance for an integer overflow when performing a trade. This overflow occurred due to the number of tokens that needed to be sent to execute the trade the user requested. This integer overflow (really a truncation) was identified and protected against, though. There was multiplication to ensure that the shift could NOT exceed 192 bits. This should have been sufficient for preventing the exploit, but the check was flawed. A sane check would have been n >= (1 . However, it was 0xffffffffffffffff instead. This is more similar to 2 ** 256 in reality. Crazy! Due to the failed detection, the numerator of a division operation is truncated later when the math assumes the value is less than 192 bits. Since this is how the AMM determines the number of tokens required to trade in for the requested tokens, this is catastrophic. By skewing the pool via a flash loan and performing this trick, they were able to transfer in a SINGLE token as collateral. Sui can block accounts and freeze funds at the validator level. This was done to prevent funds from leaving the ecosystem, which had already occurred through other bridges. The hacker has not responded to any of Cetus' asks so far. The auditing side of this is very interesting. According to Rekt.news, the exploit was actually in a third-party math library. On top of this, this vulnerability was already found on the Aptos implementation by OtterSec. However, when it was ported to Sui Move, the vulnerability appeared again. Several audits were done on the Aptos version, but no bugs were found.
Analysis Summary
# Incident Report: Cetus AMM Major DeFi Exploit
## Executive Summary
On May 22, 2025, the Cetus Automated Market Maker (AMM) on the Sui Network was exploited for over \$223 million due to a subtle vulnerability stemming from a flawed integer truncation check within the liquidity calculation function (`get_delta_a`). The attacker manipulated the calculation via a flash loan and extremely narrow tick range, resulting in the program requiring only 1 unit of input collateral to mint a massive liquidity position, which was then used to drain pool funds.
## Incident Details
- Discovery Date: May 22, 2025 (Implied simultaneous with incident)
- Incident Date: May 22, 2025
- Affected Organization: Cetus AMM (Sui Network)
- Sector: Decentralized Finance (DeFi) / Automated Market Maker (AMM)
- Geography: Sui Network Ecosystem
## Timeline of Events
### Initial Access
- Date/Time: May 22, 2025
- Vector: Flash Loan and Exploitation of flawed math library function.
- Details: Attacker performed a flash loan (e.g., 10M haSUI), created a liquidity position in an extremely narrow, upper-bound tick range, supplied only 1 unit of Token A, and received an impossibly large liquidity value due to the math error.
### Lateral Movement
- Not applicable in traditional sense. The "movement" was manipulation of internal contract state/values.
### Data Exfiltration/Impact
- Date/Time: Immediately following Liquidity Addition.
- Details: Attacker immediately removed the massive liquidity position across multiple transactions, draining the corresponding pool assets (estimated loss > \$200M).
### Detection & Response
- Details: The exploit was detected when the draining occurred. Sui validators took action to **block accounts and freeze funds** at the validator level to prevent assets from leaving the ecosystem via bridges. The hacker has not responded to Cetus communications.
## Attack Methodology
- Initial Access: Flash Loan combined with carefully calculated inputs for the `get_delta_a` function.
- Persistence: Not applicable.
- Privilege Escalation: Not applicable.
- Defense Evasion: The critical check intended to prevent the overflow (`checked_shlw`) was flawed (set comparison against `0xffffffffffffffff` instead of a proper 192-bit bound), allowing the resulting large numerator value to be truncated silently during a left shift operation inherent to Move's integer semantics.
- Credential Access: Not applicable.
- Discovery: Not applicable.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Draining the liquidity pools after acquiring an inflated LP position.
- Impact: Financial loss via token draining.
## Impact Assessment
- Financial: Over **\$223 million** in losses. Token prices on Sui dropped by **80%**.
- Data Breach: N/A (Financial assets stolen).
- Operational: Severe disruption to the Cetus AMM functionality and significant market instability on Sui.
- Reputational: Significant negative reputational impact on Cetus and potentially the security perception of the Sui ecosystem.
## Indicators of Compromise
- **Behavioral Indicators:** Transactions involving flash loans immediately followed by opening liquidity positions with minimal collateral and subsequent rapid liquidity removal that drains pool reserves.
## Response Actions
- **Containment:** Sui validators were utilized to **block attacker accounts and freeze funds** to mitigate further outflow outside the ecosystem.
- **Eradication/Recovery:** Not detailed if funds were recovered, as the hacker had not responded. The underlying vulnerability in the code base would require patching/re-deployment.
## Lessons Learned
1. **Understand Move Integer Semantics:** The vulnerability hinged on the fact that left-shift operations (`<<`) in Move *silently truncate* rather than aborting upon overflow, unlike standard addition/multiplication.
2. **Mathematical Rigor in Audits:** The initial vulnerability was present in a third-party math library ported from an Aptos implementation. Despite prior audits on the Aptos version (by OtterSec), the vulnerability reappeared when ported to Sui Move, indicating fixes or porting processes were inadequately reviewed against platform specifics.
3. **Complex Edge Case Testing:** The flawed check's boundary condition was set incorrectly (using a value closer to $2^{256}$ instead of $2^{192}$), proving that maximum values are critical attack vectors that must be tested exhaustively.
## Recommendations
- All Move developers must rigorously test and verify boundary conditions explicitly related to bit-shift operations, as they do not trigger runtime errors upon overflow.
- Critical math library functions should undergo specific verification focused on range adherence and comparison logic (ensuring checks are mathematically sound, e.g., `n >= (1 << 192)` rather than an arbitrary large mask).
- Security fixes, especially related to math/arithmetic logic, require re-auditing focusing specifically on the fixed area, rather than just assuming the fix is complete.