CETUS協議流動性提供商合同溢出漏洞

根據社區新聞的報導，5月22日，SUI生態系統上的流動性提供商CETU被涉嫌遭到攻擊

A liquidity provider, Cetus, on the SUI ecosystem was suspected to be undergoing a significant liquidity depth reduction, and multiple token trading pairs on Cetus experienced declines, with expected losses exceeding $230 million.

SUI生態系統上的流動性提供商Cetus被懷疑正在經歷大幅度的流動性深度，而Cetus的多個代幣交易對經歷了下降，預期損失超過2.3億美元。

Cetus was founded in March 2024 by experienced blockchain developers and researchers. The protocol aims to build a decentralized exchange that is fast, efficient, and user-friendly. Cetus provides liquidity provider services for the SUI ecosystem and supports various token trading pairs, such as haSUI/SUI, vSUI/SUI, and USDC/SUI.

CETUS由經驗豐富的區塊鏈開發人員和研究人員於2024年3月成立。該協議旨在建立一個快速，高效且用戶友好的分散交易所。 CETUS為SUI生態系統提供流動性提供商服務，並支持各種令牌交易對，例如Hasui/Sui，VSUI/SUI和USDC/SUI。

After the incident occurred, the SlowMist security team intervened for analysis and issued a security alert. Below is a detailed analysis of the attack method and fund transfer situation.

事件發生後，慢速安全團隊介入了分析並發布了安全警報。以下是對攻擊方法和資金轉移情況的詳細分析。

The core of this incident is that the attacker carefully constructed parameters to cause overflow while bypassing detection, ultimately allowing a very small token amount to exchange for massive liquidity assets.

該事件的核心是攻擊者仔細構造的參數在繞過檢測的同時引起溢出，最終允許非常小的令牌來交換大量流動性資產。

The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, with a price drop of 99.90%.

攻擊者首先通過閃光貸款借了10,024,321.28 Hasui，導致游泳池價格從18,956,530,795,606,879,104下降到18,425,720,18476286，價格下降了99.90％。

The attacker carefully selected an extremely narrow price range to open a liquidity position:

攻擊者仔細選擇了一個極其狹窄的價格範圍來打開流動性位置：

Tick lower limit: 300000 (Price: 60,257,519,765,924,248,467,716,150)

刻度下限：300000（價格：60,257,519,765,924,248,467,716,150）

Tick upper limit: 300200 (Price: 60,863,087,478,126,617,965,993,239)

刻度上限：300200（價格：60,863,087,478,126,617,965,993,239）

Price range width: only 1.00496621%

價格範圍寬度：僅1.00496621％

Next is the core of this attack, where the attacker claimed to add a massive liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 but due to the vulnerability, the system only accepted 1 token A.

接下來是這次攻擊的核心，攻擊者聲稱增加了10,365,647,984,364,364,446,446,732,462,462,462,244,378,333,008

Let's analyze why the attacker could exchange a massive liquidity with just 1 token. The core reason lies in the overflow detection bypass vulnerability in the checked_shlw function in the get_delta_a function. The attacker exploited this, causing the system to miscalculate the actual amount of haSUI needed to add. Due to the overflow not being detected, the system misjudged the required amount of haSUI, allowing the attacker to exchange only a very small number of tokens for a large amount of liquidity assets, thus executing the attack.

讓我們分析為什麼攻擊者只能用1個令牌交換大量流動性。核心原因在於get_delta_a函數中checked_shlw函數中的溢出檢測旁路漏洞。攻擊者利用了這一點，導致系統錯誤地計算了添加所需的Hasui的實際數量。由於未檢測到溢出，該系統誤判了所需的HASUI數量，從而使攻擊者僅將大量流動性資產的代幣交換為少量的令牌，從而執行了攻擊。

When the system calculates how much haSUI is needed to add such massive liquidity:

當系統計算需要多少hasui來增加如此巨大的流動性時：

The key here is that there is a serious flaw in the implementation of the checked_shlw function. In fact, any input value less than 0xffffffffffffffff << 192 will bypass overflow detection. However, when these values are left-shifted by 64 bits, the result exceeds the representable range of u256, causing the high-order data to be truncated, resulting in a obtained value much smaller than the theoretical value. As a result, the system will underestimate the required amount of haSUI in subsequent calculations.

這裡的關鍵是實現checked_shlw函數存在嚴重缺陷。實際上，任何小於0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffly <192均小於192，任何輸入值都將繞過溢出檢測。但是，當這些值被64位左移時，結果超過了U256的可表示範圍，從而導致高階數據被截斷，從而導致獲得的值遠小於理論值。結果，該系統將在隨後的計算中低估所需的HASUI數量。

Error mask: 0xffffffffffffffff << 192 = a very large value (about 2^256 - 2^192)

Error Mask: 0xfffffffffffffffffffffffffffffffffffffffffffffffff << 192 = A VERY LARGE VALUE (About 2^256 - 2^192)

Almost all inputs are less than this mask, bypassing overflow detection

幾乎所有輸入都比此面具少，繞過溢出檢測

The real problem: when n >= 2^192, n << 64 exceeds the u256 range and gets truncated

真正的問題：當n> = 2^192，n << 64超過U256範圍並被截斷

The intermediate value constructed by the attacker liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:

攻擊者流動性構建的中間值 * sqrt_price_diff = 62771017353866807638383578942320766669085499737373789853712：

Less than the erroneous mask, bypassing overflow detection

少於錯誤的掩碼，繞過溢出檢測

But after left-shifting 64 bits, it exceeds the maximum value of u256, causing the overflow part to be truncated

但是在左移動64位之後，它超過了U256的最大值，導致溢出部分被截斷

This leads to a final calculation result of approximately less than 1, but since it is rounded up, the quotient is calculated to equal 1

這導致最終計算結果大約小於1，但是由於將其舍入，因此將其計算為1

Finally, the attacker removed liquidity and obtained massive token profits:

最後，攻擊者刪除了流動性並獲得了大量令牌利潤：

First removal: Obtained 10,024,321.28 haSUI

首次刪除：獲得10,024,321.28 HASUI