What Happened

Cetus Protocol

$223M|Smart Contract Exploit|May 22, 2025

Arithmetic overflow in checked_shlw function of the integer-mate u256 math library: the bitmask for the overflow guard was off-by-(2^64-1), allowing inputs exactly equal to the mask to pass silently. Attacker used a flash swap to bootstrap a precisely crafted narrow-tick CLMM position, triggered the overflow to receive near-infinite liquidity credits for near-zero token cost, then drained pool reserves via remove_liquidity. Attack repeated across pools. $162M frozen on-chain by Sui validators; $60M bridged to Ethereum.

What Hindenrank Would Have Said

As of April 1, 2025

C-

Risk Score

56/100

“Cetus earns D+ for risk — while it is a legitimate, well-audited protocol that pioneered concentrated liquidity on Sui, it operates on a novel blockchain language (Move, launched 2022) using a custom big-number arithmetic library that has not been stress-tested at Ethereum scale. The LaaS model makes Cetus a systemic single-point-of-failure for the Sui DeFi ecosystem, amplifying any exploit's impact. Appropriate for risk-tolerant users only.”

Mechanism Novelty12/15

Interaction Severity14/20

Oracle Surface7/10

Documentation Quality7/10

Track Record3/15

Scale Exposure5/10

Regulatory Risk3/10

Protocol Vitality5/10

Grade Predicted This Failure

Flagged by dimensions: Mechanism Novelty, Interaction Severity, Oracle Surface, Documentation Quality, Scale Exposure

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

1.Custom integer-mate u256 math library implements CLMM tick arithmetic in Move language — a 2-year-old blockchain language with limited DeFi battle-testing and tooling maturity
2.Primary liquidity infrastructure for the entire Sui DeFi ecosystem: Cetus failure cascades through all protocols using CetusSDK for liquidity and price data
3.Flash swap attack surface combined with concentrated liquidity mechanics enables precisely crafted pool drain strategies using the CLMM's own math as a weapon

Collapse Scenarios

CLMM Math Library Overflow Exploit

Elevated

Trigger

Attacker discovers that the checked_shlw function in the integer-mate u256 library accepts inputs exactly equal to its bitmask, silently proceeding through the overflow guard and corrupting the << 64 shift operation. Uses a flash swap to bootstrap the attack without requiring upfront capital.

Cascade

Attacker analyzes integer-mate library and identifies the off-by-(2^64-1) mask error in checked_shlw→Off-chain computation of exact dust amount required to trigger the overflow condition with mask equality (n == mask)

Flash swap executed to borrow large liquidity from the target pool without upfront capital→Attacker has temporary access to pool reserves; all operations must complete within the same transaction

Narrow tick-range CLMM position opened with precisely calculated dust deposit triggering add_liquidity→add_liquidity calls the integer-mate fixed-point scaling path involving checked_shlw

checked_shlw receives n == mask; overflow check (n > mask) evaluates FALSE; u256 << 64 silently overflows→Token delta calculation corrupted: liquidity credits inflated by 2^64 while actual tokens deposited near zero

Attacker calls remove_liquidity with the inflated liquidity position→Real token reserves drained against the artificially large liquidity credit; pool effectively emptied

Flash loan repaid from drained reserves; attack repeated across remaining Cetus pools→All major Cetus pools drained; protocol paused by validators; $220M+ in user funds stolen

Historical Precedent

Uniswap V3 and other CLMM implementations have been exploited via precision/rounding issues in tick math; custom big-number arithmetic in new languages has historically been a primary exploit surface (cf. Compound's oracle manipulation via integer math in 2021)

Oracle Manipulation via Concentrated Liquidity Price Push

Moderate

Trigger

Attacker with sufficient capital executes large concentrated swaps within thin tick ranges to dramatically move the spot price, corrupting Cetus TWAP oracle data used by dependent Sui lending protocols.

Cascade

Attacker identifies a thin-liquidity tick range in a Cetus pool that serves as oracle for a lending protocol→Small trade volume can move spot price dramatically within the thin tick range

Large concentrated swap executed within the thin tick range, pushing spot price far from fair value→Cetus cumulative price accumulator records the manipulated spot price each block

TWAP observation window elapses with manipulated price data recorded→TWAP oracle now reflects attacker-controlled artificial price for the affected asset

Lending protocol reads corrupted TWAP to value collateral or determine liquidation thresholds→Attacker borrows against artificially inflated collateral value or avoids legitimate liquidation

Historical Precedent

Mango Markets ($114M, 2022): attacker manipulated MNGO perpetual price using concentrated buying, then borrowed against inflated collateral. CLMM-as-oracle designs replicate this risk.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View Leaderboard All Backtests