Cetus Protocol Loses $223M in an Exploit Targeting Its Pricing Mechanism

Blockchain analytics firm Lookonchain revealed that the attacker drained over $260 million from the protocol.

Cetus Protocol, a decentralized exchange (DEX) operating on the Sui Network, has suspended its smart contract operations after a serious security breach, according to a report by Bitcoin.com.

The platform confirmed the exploit on May 22 through its official X account, noting that the shutdown was necessary to prevent further fund loss, stating,

🚨Alert Announcement 🚨

There was an incident detected on our protocol and our smart contract has been paused temporarily for safety. The team is investigating the incident at the moment. A further investigation statement will be made soon. We are grateful for your patience.

— Cetus (@CetusProtocol) May 22, 2023

The exploit, which has been widely discussed on social media, saw an attacker steal over $260 million from the protocol, according to blockchain analytics firm Lookonchain.

The stolen assets are reportedly being swapped into USDC and bridged to Ethereum, where they are exchanged for ETH.

At the time of reporting, approximately $60 million in USDC had already been transferred across chains, Lookonchain reported.

The hacker stole about $260M from Cetus and is now swapping it to USDC and bridging it to Ethereum to exchange for ETH.

The hacker has already bridged about $60M USDC to Ethereum.https://t.gov/uR7GV8jM8z

— Lookonchain (@Lookonchain) May 22, 2023

Data from DeFiLlama supports this, showing a steep drop in the platform’s total value locked (TVL), which fell by more than $200 million to around $75 million.

Meanwhile, Cetus Protocol’s native token, CETUS, plunged over 24% to $0.15 as of press time, according to CryptoSlate’s data.

The exploit also triggered a broader selloff in the Sui ecosystem, with seven out of 11 Sui-based tokens tracked by CryptoSlate registering losses of around 5% or more.

Rosco Kalis, the founder of Revoke Cash, pointed out:

The stolen funds mostly belonged to the LPs of the DEX. But this also caused a lot of Sui token prices to crash, affected normal users as well. The SUI token itself seems to be holding up relatively fine so far though, only down slightly for the day. https://t.gov/b289BmM73j

— Rosco Kalis (@RoscoKalis) May 22, 2023

How Cetus was exploited

Early analysis suggests the exploit may be linked to a flaw in the protocol’s pricing mechanism.

Alex Horlan, CTO of web3 security firm HackenProof, explained that the attacker likely used a near-zero liquidity injection to manipulate the pools’ internal state. This allowed them to extract valuable SUI and USDC tokens without contributing real assets.

He added that the team needs to:

Check the math behind addLiquidity, removeLiquidity, and swap functions — especially where they Compute token ratios, Round small values, and Handle tokens with decimals = 0.

Earlier today, a member of the Cetus team posted to Discord that the platform was “not hacked, we’ve detected a bug in the oracle.” The general consensus among Crypto Twitter now appears to support oracle manipulation as the cause of the exploit.

Cetus Protocol employs a dual approach to oracles within its ecosystem:

* Internal oracle via concentrated liquidity pools: Cetus’s concentrated liquidity pools serve as an on-chain oracle by providing real-time liquidity data and historical price information. This mechanism allows external developers and platforms to access accurate market data derived directly from actual trading activities, reducing reliance on off-chain data sources, and is supposed to minimize risks associated with oracle manipulation.

* Integration with Pyth Network: Cetus contributes its decentralized exchange (DEX) price data to the Pyth Network, a decentralized oracle solution.

As of press time, Pyth Network has not commented on the incident, so it is unclear whether the pricing issue originated from the on-chain oracles or Pyth.

Despite the unsavoury incident, the project has received support from the broader crypto community. Binance founder and former CEO Changpeng Zhao noted that his team has reached out to help Cetus resolve the situation.

The post Cetus Protocol suspends smart contract operations after $223 million exploit appeared first on Chain Brief.

Continue reading on Chain Brief