Cetus Protocol confirmed that an attacker exploited a flaw in an open-source library used by its CLMM smart contract, leading to the $223 million drain.
Moving forward, Cetus plans to bolster security through rigorous testing, expanded audits, and a strengthened bug bounty program.
After suffering a $223 million attack last week, Sui-based decentralized exchange Cetus Protocol confirmed that a flaw in an open-source library used by its smart contract was behind the exploit that drained users' funds.
More specifically, the attack targeted Cetus' Concentrated Liquidity Market Maker (CLMM) pools using the smart contract. It involved manipulating pool prices using a flash swap, exploiting an overflow check error to inject artificially large liquidity value with a minimal amount of tokens, and then repeatedly removing liquidity to siphon assets, according to a full incident report.
The vulnerability stemmed from a misapplied integer overflow safeguard in the inter_mate library, particularly in the checked_shlw method, which incorrectly validated inputs against a 256-bit limit instead of a 192-bit limit, allowing for unchecked liquidity injections, the team explained.
"It is necessary to clarify that recently some people on social media wrongly believed that the exploit was caused by an arithmetic error of MAX_U64 checking flagged in the previous audit report, which misled many people who did not know the fact," Cetus noted. "We hereby declare that this issue has nothing to do with the recent exploit."
According to Cetus's timeline of events, its core CLMM pools were disabled to prevent further loss within 30 minutes of the exploit commencing. Approximately $223 million had already been siphoned by that point, causing various Sui-based tokens to plunge in price amid the chaos. Within an hour and 20 minutes of the attack, Sui validators began voting to reject transactions from the attacker's addresses, and once the vote surpassed 33% of the total stake, addresses that had drained around $162 million were effectively "frozen," Cetus said.
This blocked the attacker's addresses from transacting with those funds on Sui, triggering a backlash from critics who argued the censorship exposed centralization risks. However, roughly $60 million had already been converted to USDC, bridged to Ethereum, and swapped for ETH, onchain analysts previously noted.
The vulnerable contract was later patched and upgraded, though it has yet to be fully restarted.
Negotiations and bounties
In a message to the attacker, Cetus and data analytics company Inca Digital then requested the return of 20,920 ETH and the funds frozen on the exploiter's Sui wallets, stating that no further legal or public action would be taken if the settlement was accepted.
Cetus said it did not receive any communication from the hacker, and the team subsequently announced a $5 million bounty for relevant information that resulted in the successful identification and arrest of the hacker, payable at the Sui Foundation's discretion.
At the same time, Cetus also asked the Sui community to support a protocol upgrade to recover the $162 million of frozen funds and return them to their rightful owners. "No one can make this decision unilaterally. We propose an onchain vote involving the network's major participants, including validators and SUI stakers, to decide on whether this upgrade is in the best interest of the Sui community," it said. "We want to recover and return the stolen funds, but we will respect whatever the community decides."
What's next?
Cetus said it had heavily invested in smart contract audits and system safeguards since it launched, believing multiple reviews and widespread developer adoption offered sufficient protection. However, the team acknowledged the recent exploit made it clear that this sense of security was misplaced and that it "must do more."
To strengthen its defenses, Cetus is implementing enhanced real-time monitoring, stricter risk management configurations, deeper test coverage, and more frequent, milestone-based audits, alongside committing to greater transparency through public reporting of code coverage metrics.
In the immediate term, Cetus is working with the Sui security team and audit partners to revalidate all upgraded contracts before reactivating its CLMM pools. Cetus is also collaborating with ecosystem partners on a recovery plan to restore liquidity access for impacted LPs, including the onchain vote to help return user assets.
Meanwhile, legal proceedings are underway, though Cetus has also extended its white hat offer to the attacker in the hope of recovering funds without further damage. A final notice will be sent to the hacker soon, it said.
DEX
