📢 Gate Square #MBG Posting Challenge# is Live— Post for MBG Rewards!
Want a share of 1,000 MBG? Get involved now—show your insights and real participation to become an MBG promoter!
💰 20 top posts will each win 50 MBG!
How to Participate:
1️⃣ Research the MBG project
Share your in-depth views on MBG’s fundamentals, community governance, development goals, and tokenomics, etc.
2️⃣ Join and share your real experience
Take part in MBG activities (CandyDrop, Launchpool, or spot trading), and post your screenshots, earnings, or step-by-step tutorials. Content can include profits, beginner-friendl
Cetus suffered a mathematical overflow attack, resulting in a loss of $230 million, with $162 million already frozen.
Cetus suffers from a mathematical overflow vulnerability attack, resulting in losses exceeding $230 million.
On May 22, the liquidity provider Cetus on the SUI ecosystem was suspected of being attacked, leading to a significant drop in liquidity pool depth, with several token trading pairs experiencing declines, estimated losses exceeding $230 million. Cetus subsequently announced that it has temporarily suspended its smart contracts and is investigating the incident.
The core of this attack is that the attacker carefully constructs parameters to exploit a mathematical overflow vulnerability in the system, exchanging a very small amount of tokens for a large amount of liquidity assets. The attack process mainly includes the following steps:
The attacker borrowed a large amount of haSUI through a flash loan, causing the pool price to plummet by 99.90%.
Open liquidity positions in a very narrow price range, with a range width of only 1.00496621%.
Use the overflow detection bypass vulnerability in checked_shlw of the get_delta_a function to declare a massive liquidity addition, but only actually pay 1 token.
Remove liquidity to obtain a large amount of haSUI and SUI tokens.
Repay the flash loan and complete the attack.
The attacker successfully profited approximately 230 million dollars, including various assets such as SUI, vSUI, and USDC. After the attack, part of the funds were transferred to an EVM address via a cross-chain bridge, including about 10 million dollars deposited into Suilend and 24,022,896 SUI transferred to a new address.
Fortunately, with the cooperation of the SUI Foundation and other ecosystem members, a total of 162 million dollars of stolen funds on SUI have now been successfully frozen.
Cetus has released a fix patch that mainly corrects the error mask and judgment conditions in the checked_shlw function, ensuring it can correctly detect overflow situations.
This attack highlights the dangers of mathematical overflow vulnerabilities. Developers should rigorously validate the boundary conditions of all mathematical functions in smart contract development to prevent similar attacks from occurring again.