Author:Victory & Lisa

background

On May 22, according to community news, Cetus, a liquidity provider in the SUI ecosystem, was suspected of being attacked, the depth of the liquidity pool dropped significantly, and multiple token trading pairs on Cetus fell, with an estimated loss of more than $230 million. Subsequently, Cetus issued an announcement saying: "An incident was detected in our protocol. For safety reasons, the smart contract has been temporarily suspended. The team is currently investigating the incident. We will soon issue a further investigation statement."

After the incident, the SlowMist security team immediately intervened to analyze the incident and issued a security alert. The following is a detailed analysis of the attack methods and fund transfer.

 (https://x.com/CetusProtocol/status/1925515662346404024)

Related information

One of the attack transactions:

https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x

Attacker Address:

0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06

The address of the attacked pool:

0x871d8a227114f375170f149f7e9d45be822dd003eba225e83c05ac80828596bc

Tokens involved:

haSUI/SUI

Attack Analysis

The core of this incident is that the attacker carefully constructed parameters to cause overflow but bypass detection, and ultimately used a very small amount of tokens to exchange for a huge amount of liquid assets. The following is an analysis of the specific steps:

1. The attacker first borrowed 10,024,321.28 haSUI through a flash loan, causing the pool price to plummet from 18,956,530,795,606,879,104 to 18,425,720,184762886, a price drop of 99.90%.

2. The attacker carefully selected an extremely narrow price range to open a liquidity position:

• Tick lower limit: 300000 (price: 60,257,519,765,924,248,467,716,150)
• Tick limit: 300200 (price: 60,863,087,478,126,617,965,993,239)
• Price range width: only 1.00496621%

3. Then comes the core of this attack. The attacker claimed to add 10,365,647,984,364,446,732,462,244,378,333,008 units of huge liquidity, but due to a loophole, the system only collected 1 token A.

Let's analyze why the attacker was able to exchange a huge amount of liquidity with 1 token. The core reason is that there is an overflow detection bypass vulnerability in checked_shlw in the get_delta_a function. The attacker took advantage of this and caused a serious deviation in the system's calculation of how much haSUI actually needed to be added. Because the overflow was not detected, the system misjudged the number of haSUI required, resulting in the attacker only needing a few tokens to exchange a large amount of liquid assets, thus achieving the attack.

When the system calculates how much haSUI is needed to add such a huge amount of liquidity:

The key here is that the implementation of the checked_shlw function is seriously flawed. In fact, any input value less than 0xffffffffffffffff << 192 will bypass the overflow check. However, when these values are left-shifted by 64 bits, the result exceeds the representation range of u256, and the high-order data is truncated, resulting in a result that is much smaller than the theoretical value. As a result, the system will underestimate the number of haSUI required in subsequent calculations.

• Error mask: 0xffffffffffffffff << 192 = a very large value (about 2^256-2^192)
• Almost all inputs are smaller than this mask, bypassing overflow detection
• Real problem: when n >= 2^192, n << 64 will exceed the u256 range and will be truncated

The attacker constructs the intermediate value liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:

• Less than error mask, bypassing overflow detection
• However, after a 64-bit left shift, the maximum value of u256 will be exceeded, causing the excess part to be truncated.
• The final calculation result is less than 1, but because it is rounded up, the quotient is equal to 1.

4. Finally, the attacker removes the liquidity and obtains huge token gains:

• First withdrawal: 10,024,321.28 haSUI obtained
• Second removal: Get 1 haSUI
• Third withdrawal: 10,024,321.28 haSUI

5. The attacker returns the flash loan, making a net profit of approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, and the attack is complete.

Project repair status

After the attack, Cetus released a patch. The specific patch code can be found at: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.

The repaired checked_shlw function is as follows:

Repair instructions:

• Corrected the incorrect mask 0xffffffffffffffff << 192 to the correct threshold 1 << 192
• Correct the judgment condition from n > mask to n >= mask
• Ensure that when a left shift of 64 bits may cause overflow, the overflow flag is correctly detected and returned

MistTrack Analysis

According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 made a profit of approximately $230 million, including various assets such as SUI, vSUI, and USDC.

We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:

After making a profit, the attacker will transfer part of the funds to

USDC, SOL, and suiETH are cross-chained to the EVM address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b through cross-chain bridges such as Sui Bridge, Circle, Wormhole, and Mayan:

Among them, 5.2341 WBNB cross-chained to the BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:

Next, the attacker adds the value

$10 million in assets deposited into Suilend:

The attacker also transferred 24,022,896 SUI to the new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, but has not yet transferred it out:

Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, $162 million of stolen funds on SUI have been successfully frozen.

 (https://x.com/CetusProtocol/status/1925567348586815622)

Next, we use the on-chain anti-money laundering and tracking tool MistTrack to analyze the address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b on the EVM that receives cross-chain funds.

This address received 5.2319 BNB on BSC and has not yet transferred it out:

The address received 3,000 USDT, 40.88 million USDC, 1,771 SOL, and 8,130.4 ETH on Ethereum.

Among them, USDT, USDC and SOL are exchanged for ETH through CoW Swap, ParaSwap, etc.:

Next, the address transferred 20,000 ETH to the address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, but has not yet transferred it out:

The current balance of this address on Ethereum is 3,244 ETH:

MistTrack has added the above-mentioned addresses to the malicious address database. At the same time, we will continue to monitor the address balances.

Summarize

This attack demonstrates the power of math overflow vulnerabilities. The attacker selected specific parameters through precise calculations and exploited the defects of the checked_shlw function to obtain billions of liquidity at the cost of 1 token. This is an extremely sophisticated math attack, and the SlowMist Security Team recommends that developers strictly verify the boundary conditions of all math functions in smart contract development.