Sui shares details on $220M Cetus exploit, vows to step up security
Multiple rounds of prior audits did not catch the flaw, the DEX said
Patme Design/Shutterstock and Adobe modified by Blockworks
This is a segment from The Drop newsletter. To read full editions, subscribe.
We now know more about the bug that was exploited last week, resulting in over $220 million in frozen and stolen funds from the Sui-based DEX Cetus.
On Monday, Sui described the flaw as “a bug in a Cetus math library” and promised to commit $10 million to improving Sui’s security more broadly. That includes a bug bounty program, plus Sui-funded security audits for projects using the chain.
Blockchain security firm Dedaub explained that the attack involved intentionally misconfiguring a liquidity pool with an “extremely high value.”
“This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token,” the firm wrote.
As of May 26, Cetus said that the majority of the swiped crypto (roughly $162 million) remained frozen across two Sui wallets, while the rest of the stolen funds had already been converted to ETH by the attacker.
“Cetus has been among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards. Unfortunately, reality does not always unfold as we wish,” Cetus said in its disclosure. “Multiple rounds of audits on the underlying contracts and the dependent open-source libraries — combined with their widespread and successful use by ecosystem developers — gave us a sense that we had done enough. In hindsight, we realize we allowed ourselves to relax our vigilance. This painful lesson has shown us: we must do more.”
The DEX further said last week it hasn’t heard from the hacker thus far.
Sui isn’t the only one that’s recently seen crypto swiped on its chain due to an exploit. On a much smaller scale, Cardex, a game on Abstract, had a flaw that resulted in at least $500,000 being siphoned from that app’s users earlier this year.
Being permissionless means more people can build in a chain’s ecosystem with less oversight, getting closer to financial decentralization, one of the original aims of crypto.
But it also means a chain’s reputation can take a hit when some apps that use it are lacking on the security front — leading to headline-generating exploits and losses often in the millions.
“Security audits are inherently imperfect,” wrote BlockSec’s CCO, who goes by Orlando on X, in response to the incident. “In 2023, the entire crypto market spent $1 billion on security audits, yet $2 billion in assets were still stolen.”
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
