Sui officially issued a statement saying that it supports Cetus Protocol's efforts to recover stolen funds and encourage users with relevant information to provide clues. Our priority remains to protect the community and support actively resolving theft incidents. Previous news, Sui ecological liquidity platform Cetus offered a reward of $5 million with the support of Inca Digital and the funding of the Sui Foundation to seek hacker-related clues.

So, how did Cetus get stolen? What is the attack method? How to transfer funds? Let’s take a look with the editor of Script Home!

background

On May 22, according to community news, Cetus, a liquidity provider on SUI ecosystem, was suspected to be attacked, and the depth of the liquidity pool has dropped significantly. Several token trading pairs on Cetus fell, with an estimated loss of more than US$230 million. Cetus later issued an announcement saying: "A incident was detected in our agreement. For security reasons, the smart contract has been temporarily suspended. Currently, the team is investigating the incident. We will issue further investigation statements soon."

After the incident, the Slow Fog Security Team intervened in the analysis as soon as possible and issued a safety reminder. The following is a detailed analysis of the attack methods and capital transfer situation.

 (https://x.com/CetusProtocol/status/1925515662346404024)

Related information

One of the attack transactions:

https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x

Attacker's address:

0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06

The attacked pool address:

0x871d8a227114f375170f149f7e9d45be822dd003eba225e83c05ac80828596bc

Tokens involved:

haSUI / SUI

Attack Analysis

The core of this incident is that the attacker carefully constructs parameters so that the overflow occurs but can bypass detection. Finally, he can exchange a very small amount of token token to exchange for huge liquid assets. The following are the specific steps analysis:

1. The attacker first borrowed 10,024,321.28 haSUIs through Lightning Loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762,886, with a price decline of 99.90%.

2. The attacker carefully selected a very narrow price range to open a liquidity position:

• Tick ??Lowest Limit: 300000 (Price: 60,257,519,765,924,248,467,716,150)
• Tick ??cap: 300200 (Price: 60,863,087,478,126,617,965,993,239)
• Price range width: only 1.00496621%

3. Then is the core of this attack. The attacker stated that he would add 10,365,647,984,364,446,732,462,244,378,333,008 units of huge liquidity, but due to the vulnerability, the system only charged 1 token A.

Let’s analyze why an attacker can exchange 1 token for huge liquidity. The core reason is that there is an overflow detection bypass vulnerability in checked_shlw in the get_delta_a function. This is what the attacker takes advantage of, causing severe deviations in the system when calculating how many haSUIs it actually needs to be added. Since the overflow was not detected, the system misjudged the number of required haSUIs, resulting in the attacker being able to exchange a large number of liquid assets with only a very small token, thus realizing the attack.

When the system calculates how much haSUI is needed to add such huge liquidity:

The key here is that the implementation of the checked_shlw function has serious flaws. In fact, any input value less than 0xffffffffffffffff

• Error mask: 0xffffffffffffffffffff
• Almost all inputs are smaller than this mask, bypassing overflow detection
• The real problem: When n >= 2^192, n

The intermediate value liquidity * sqrt_price_diff =6277101735386680763835789423207666908085499738337898853712:

• Less than the error mask, bypassing overflow detection
• However, after shifting left by 64 bits, the maximum value of u256 will be exceeded, resulting in the excess being truncated.
• The final calculation result is about 1, but since it is rounded upward, the calculation of quotient is equal to 1

4. Finally, the attacker removes liquidity and obtains huge token returns:

• First removal: Obtain 10,024,321.28 haSUI
• Second removal: Obtain 1 haSUI
• Third removal: Obtain 10,024,321.28 haSUI

5. The attacker returned the flash loan, with a net profit of approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, and the attack was completed.

Project repair situation

After the attack, Cetus released a fix patch. For specific repair codes, please refer to: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.

The fixed checked_shlw function is as follows:

Repair instructions:

• Correct the wrong mask 0xffffffffffffffffffff
• Correct the judgment condition from n > mask to n >= mask
• Ensure that when shifting the left 64 bits may cause overflow, the overflow flag can be detected correctly and returned

MistTrack Analysis

According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 made a profit of approximately US$230 million, including SUI, vSUI, USDC and other assets.

We found that the attacker had Gas Fee ready two days ago and then made a try before the attack, but failed:

After making a profit, the attacker will add some of the funds to

USDC, SOL, and suiETH cross-chain to EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Among them, 5.2341 WBNB cross-chain to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Then the attacker will make the value

$10 million in assets deposited into Suilend:

The attacker also transferred 24,022,896 SUI to the new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, which has not been transferred out yet:

Fortunately, according to Cetus, the $162 million stolen funds on SUI have been successfully frozen under cooperation with the SUI Foundation and other ecosystem members.

 (https://x.com/CetusProtocol/status/1925567348586815622)

Next, we use the on-chain anti-money laundering and tracking tool MistTrack to analyze the address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b on EVM.

This address received 5.2319 BNB on BSC and has not been transferred out yet:

The address received 3,000 USDT, 40.88 million USDC, 1,771 SOL and 8,130.4 ETH on Ethereum.

Among them, USDT, USDC and SOL are exchanged for ETH through CoW Swap, ParaSwap, etc.:

Next, the address transfers 20,000 ETH to address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, and has not yet been transferred out:

The current balance of this address on Ethereum is 3,244 ETH:

MistTrack has added the above related addresses to the malicious address library. At the same time, we will continue to monitor the address balance.

Summarize

This attack demonstrates the power of a mathematical overflow vulnerability. The attacker uses precise calculations to select specific parameters, and uses the flaws of the checked_shlw function to obtain billions of liquidity at the cost of 1 token. This is an extremely sophisticated mathematical attack, and the Slow Fog Security Team recommends developers to strictly verify the boundary conditions of all mathematical functions in smart contract development.

The above is the detailed content of Cetus was stolen $230 million, analyzing attack methods and capital transfers. For more information, please follow other related articles on the PHP Chinese website!