SlowMist confirmed bug in checked_shlw function was root cause of $230M DeFi loss. Tiny overflow bug in Cetus smart contract allowed attacker to fake massive liquidity deposits.
On May 22, something alarming happened in the SUI blockchain world. Prices on the Cetus decentralized exchange (DEX) suddenly dropped, and its liquidity pools were drained. The total estimated loss was over $230 million.
Several reports quickly implicated a single triple-entry arbitrageur who used a flash loan to crash a token price instantly and siphon off funds from multiple protocols. However, the precise technical vulnerability that enabled this massive exploit remained a subject of discussion.
Now, renowned blockchain security team SlowMist has released a detailed analysis, revealing a tiny overflow bug in Cetus’ smart contract as the root cause of the staggering DeFi loss.
The checked_shlw function, designed to check for errors like overflows, failed to properly detect an overflow in the get_delta_a function, which is used to calculate the delta of token A when adding liquidity.
This bug allowed the attacker to claim to be adding a huge amount of liquidity by displaying a nearly impossible price and submitting only 1 token, while the system expected 367506680905089974005506088888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
Disclaimer:info@kdj.com
The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!
If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.
