Cetus Hack Post-Mortem: $223M DeFi Exploit Traced to Overflow Bug in AMM Logic
A post-mortem investigation into the massive $223 million hack of the Cetus Protocol has revealed a critical overflow bug at the heart of the exploit. According to blockchain security firm Dedaub, the flaw stemmed from a vulnerability in Cetus’s automated market maker (AMM) logic that allowed an attacker to manipulate liquidity pools with a single token deposit.
“This incident represents one of the most significant DeFi exploits in recent history,” Dedaub stated in its report.
The bug, described as a subtle but dangerous overflow error, failed to correctly handle large numerical inputs. Instead of rejecting these inputs, the system truncated them, producing misleadingly small output values.
This miscalculation allowed the attacker to receive vastly inflated liquidity positions for minimal deposits. With these fake positions, they were able to extract large amounts of real assets from multiple pools, triggering one of the largest financial breaches in the Sui ecosystem to date.
The vulnerability had been previously identified. Ottersec, another blockchain security firm, flagged a similar issue during an audit of Cetus’s codebase in early 2023, when the protocol was deployed on the Aptos network. However, when the code was later ported to the Sui blockchain, the same overflow issue reemerged—despite attempts to patch it.
Dedaub criticized the flawed implementation of overflow checks and stressed the need for more rigorous safeguards in DeFi development. “This incident shows why edge cases in DeFi can’t be ignored,” the firm noted. It advised that overflow protections should be manually verified, especially when working with complex math or high-precision financial logic.
Cetus, a prominent decentralized exchange (DEX) on Sui, was hacked in the early hours of May 22. Initial reports blamed the breach on an “oracle bug,” but deeper analysis now points directly to a coding oversight. The exploit caused over $223 million in user losses and sent shockwaves through the market.
Tokens associated with the Sui ecosystem, including SUI and CETUS, plunged more than 40% following the hack. Smaller-cap tokens and memecoins native to the network saw even sharper declines—some losing over 90% of their value within hours.
In response to the breach, the Sui Foundation coordinated with validators to freeze roughly $163 million of the stolen assets. Meanwhile, Cetus has issued a $5 million bounty for information leading to the identification of the attackers.