CETUS协议流动性提供商合同溢出漏洞

根据社区新闻的报道，5月22日，SUI生态系统上的流动性提供商CETU被涉嫌遭到攻击

A liquidity provider, Cetus, on the SUI ecosystem was suspected to be undergoing a significant liquidity depth reduction, and multiple token trading pairs on Cetus experienced declines, with expected losses exceeding $230 million.

SUI生态系统上的流动性提供商Cetus被怀疑正在经历大幅度的流动性深度，而Cetus的多个代币交易对经历了下降，预期损失超过2.3亿美元。

Cetus was founded in March 2024 by experienced blockchain developers and researchers. The protocol aims to build a decentralized exchange that is fast, efficient, and user-friendly. Cetus provides liquidity provider services for the SUI ecosystem and supports various token trading pairs, such as haSUI/SUI, vSUI/SUI, and USDC/SUI.

CETUS由经验丰富的区块链开发人员和研究人员于2024年3月成立。该协议旨在建立一个快速，高效且用户友好的分散交易所。 CETUS为SUI生态系统提供流动性提供商服务，并支持各种令牌交易对，例如Hasui/Sui，VSUI/SUI和USDC/SUI。

After the incident occurred, the SlowMist security team intervened for analysis and issued a security alert. Below is a detailed analysis of the attack method and fund transfer situation.

事件发生后，慢速安全团队介入了分析并发布了安全警报。以下是对攻击方法和资金转移情况的详细分析。

The core of this incident is that the attacker carefully constructed parameters to cause overflow while bypassing detection, ultimately allowing a very small token amount to exchange for massive liquidity assets.

该事件的核心是攻击者仔细构造的参数在绕过检测的同时引起溢出，最终允许非常小的令牌来交换大量流动性资产。

The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, with a price drop of 99.90%.

攻击者首先通过闪光贷款借了10,024,321.28 Hasui，导致游泳池价格从18,956,530,795,606,879,104下降到18,425,720,18476286，价格下降了99.90％。

The attacker carefully selected an extremely narrow price range to open a liquidity position:

攻击者仔细选择了一个极其狭窄的价格范围来打开流动性位置：

Tick lower limit: 300000 (Price: 60,257,519,765,924,248,467,716,150)

刻度下限：300000（价格：60,257,519,765,924,248,467,716,150）

Tick upper limit: 300200 (Price: 60,863,087,478,126,617,965,993,239)

刻度上限：300200（价格：60,863,087,478,126,617,965,993,239）

Price range width: only 1.00496621%

价格范围宽度：仅1.00496621％

Next is the core of this attack, where the attacker claimed to add a massive liquidity of 10,365,647,984,364,446,732,462,244,378,333,008 but due to the vulnerability, the system only accepted 1 token A.

接下来是这次攻击的核心，攻击者声称增加了10,365,647,984,364,364,446,446,732,462,462,462,244,378,333,008

Let's analyze why the attacker could exchange a massive liquidity with just 1 token. The core reason lies in the overflow detection bypass vulnerability in the checked_shlw function in the get_delta_a function. The attacker exploited this, causing the system to miscalculate the actual amount of haSUI needed to add. Due to the overflow not being detected, the system misjudged the required amount of haSUI, allowing the attacker to exchange only a very small number of tokens for a large amount of liquidity assets, thus executing the attack.

让我们分析为什么攻击者只能用1个令牌交换大量流动性。核心原因在于get_delta_a函数中checked_shlw函数中的溢出检测旁路漏洞。攻击者利用了这一点，导致系统错误地计算了添加所需的Hasui的实际数量。由于未检测到溢出，该系统误判了所需的HASUI数量，从而使攻击者仅将大量流动性资产的代币交换为少量的令牌，从而执行了攻击。

When the system calculates how much haSUI is needed to add such massive liquidity:

当系统计算需要多少hasui来增加如此巨大的流动性时：

The key here is that there is a serious flaw in the implementation of the checked_shlw function. In fact, any input value less than 0xffffffffffffffff << 192 will bypass overflow detection. However, when these values are left-shifted by 64 bits, the result exceeds the representable range of u256, causing the high-order data to be truncated, resulting in a obtained value much smaller than the theoretical value. As a result, the system will underestimate the required amount of haSUI in subsequent calculations.

这里的关键是实现checked_shlw函数存在严重缺陷。实际上，任何小于0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffly <192均小于192，任何输入值都将绕过溢出检测。但是，当这些值被64位左移时，结果超过了U256的可表示范围，从而导致高阶数据被截断，从而导致获得的值远小于理论值。结果，该系统将在随后的计算中低估所需的HASUI数量。

Error mask: 0xffffffffffffffff << 192 = a very large value (about 2^256 - 2^192)

Error Mask: 0xfffffffffffffffffffffffffffffffffffffffffffffffff << 192 = A VERY LARGE VALUE (About 2^256 - 2^192)

Almost all inputs are less than this mask, bypassing overflow detection

几乎所有输入都比此面具少，绕过溢出检测

The real problem: when n >= 2^192, n << 64 exceeds the u256 range and gets truncated

真正的问题：当n> = 2^192，n << 64超过U256范围并被截断

The intermediate value constructed by the attacker liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:

攻击者流动性构建的中间值 * sqrt_price_diff = 62771017353866807638383578942320766669085499737373789853712：

Less than the erroneous mask, bypassing overflow detection

少于错误的掩码，绕过溢出检测

But after left-shifting 64 bits, it exceeds the maximum value of u256, causing the overflow part to be truncated

但是在左移动64位之后，它超过了U256的最大值，导致溢出部分被截断

This leads to a final calculation result of approximately less than 1, but since it is rounded up, the quotient is calculated to equal 1

这导致最终计算结果大约小于1，但是由于将其舍入，因此将其计算为1

Finally, the attacker removed liquidity and obtained massive token profits:

最后，攻击者删除了流动性并获得了大量令牌利润：

First removal: Obtained 10,024,321.28 haSUI

首次删除：获得10,024,321.28 HASUI