Original Title: "Slow Fog: Analysis of the $230 Million Theft Incident Involving Cetus"

Original Authors: Victory, Lisa, Slow Fog Technology

Background

On May 22, according to community reports, the liquidity provider Cetus on the SUI ecosystem was suspected to have been attacked, leading to a significant drop in liquidity pool depth and a decline in multiple token trading pairs on Cetus, with estimated losses exceeding $230 million. Subsequently, Cetus released a statement saying, "An incident has been detected in our protocol, and for safety reasons, the smart contract has been temporarily paused. The team is currently investigating the incident. We will release further investigation statements soon."

After the incident occurred, the Slow Fog security team immediately intervened for analysis and issued a security alert. Below is a detailed analysis of the attack methods and the movement of funds.

Related Information

The core of this incident is that the attacker carefully constructed parameters to cause an overflow that could bypass detection, ultimately allowing them to exchange a very small amount of tokens for a massive amount of liquidity assets. The following is a detailed step-by-step analysis:

(Attack Timeline)

1. The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, a price drop of 99.90%.

2. The attacker carefully selected a very narrow price range to open a liquidity position:

Lower Tick: 300000 (Price: 60,257,519,765,924,248,467,716,150)

Upper Tick: 300200 (Price: 60,863,087,478,126,617,965,993,239)

Price Range Width: Only 1.00496621%

3. Next comes the core of this attack, where the attacker claimed to add a massive liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 units, but due to a vulnerability, the system only charged 1 token A.

Let’s analyze why the attacker was able to exchange a massive amount of liquidity with just 1 token. The core reason lies in the overflow detection bypass vulnerability in the checked_shlw function. The attacker exploited this, causing the system to severely miscalculate the actual amount of haSUI needed. Since the overflow was not detected, the system misjudged the required amount of haSUI, allowing the attacker to exchange a minimal number of tokens for a large amount of liquidity assets, thus achieving the attack.

When the system calculated how much haSUI was needed to add such massive liquidity:

The key here is that the implementation of the checked_shlw function has a serious flaw. In fact, any input value less than 0xffffffffffffffff 192 will bypass the overflow detection. However, when these values are left-shifted by 64 bits, the result exceeds the representation range of u256, causing the high-order data to be truncated, leading to a result that is far less than the theoretical value. As a result, the system will underestimate the required amount of haSUI in subsequent calculations.

· Error Mask: 0xffffffffffffffff 192 = A very large value (approximately 2^256-2^192)

· Almost all inputs are less than this mask, bypassing overflow detection

· The real issue: When n >= 2^192, n 64 will exceed the u256 range and be truncated

The intermediate value constructed by the attacker liquidity * sqrtpricediff = 6277101735386680763835789423207666908085499738337898853712:

· Less than the error mask, bypassing overflow detection

· But after left-shifting by 64 bits, it exceeds the maximum value of u256, causing the overflow part to be truncated

· This leads to the final calculated result being approximately less than 1, but since it is rounded up, the quotient calculated equals 1

4. Finally, the attacker removed liquidity and obtained massive token profits:

· First removal: Obtained 10,024,321.28 haSUI

· Second removal: Obtained 1 haSUI

· Third removal: Obtained 10,024,321.28 haSUI

5. The attacker repaid the flash loan, netting approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, completing the attack.

Project Team's Fixes

After the attack, Cetus released a patch. The specific fix code can be referenced at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.

The fixed checked_shlw function is as follows:

Fix Explanation: The erroneous mask 0xffffffffffffffff 192 was corrected to the correct threshold 1 192, and the condition was changed from n > mask to n >= mask to ensure that when left-shifting by 64 bits may cause an overflow, it can correctly detect and return the overflow flag.

MistTrack Analysis

According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 profited approximately $230 million, including various assets such as SUI, vSUI, USDC, etc.

We found that the attacker had prepared the Gas Fee two days prior and made a failed attempt before the attack:

After profiting, the attacker transferred part of the funds such as USDC, SOL, and suiETH through cross-chain bridges like Sui Bridge, Circle, Wormhole, and Mayan to the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Among them, 5.2341 WBNB was cross-chained to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Next, the attacker deposited assets worth $10 million into Suilend:

The attacker also transferred 24,022,896 SUI to a new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, which has not yet been transferred out:

Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, $162 million of the stolen funds on SUI have been successfully frozen.

(https://x.com/CetusProtocol/status/1925567348586815622)

Next, we use the on-chain anti-money laundering and tracking tool MistTrack to analyze the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b, which received cross-chain funds. This address received 5.2319 BNB on BSC and has not yet transferred out:

This address received 3,000 USDT, 40.88 million USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum. Among them, USDT, USDC, and SOL were exchanged for ETH through coW Swap, Para Swap, and others:

Subsequently, this address transferred 20,000 ETH to address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, which has not yet transferred out:

Currently, the balance of this address on Ethereum is 3,244 ETH:

MistTrack has added the above-related addresses to the malicious address database, and we will continue to monitor the balance of these addresses.

Summary

This attack demonstrates the power of mathematical overflow vulnerabilities. The attacker precisely calculated and selected specific parameters, exploiting the flaw in the checked_shlw function to obtain liquidity worth billions at the cost of just 1 token. This was an extremely sophisticated mathematical attack, and the Slow Fog security team recommends that developers rigorously verify all boundary conditions of mathematical functions in smart contract development.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。