Unforeseen bug in a critical function led to the draining of Cetus DEX’s liquidity pools on Sui. Last week, an attacker exploited a vulnerability in an open-source library used by the CLMM smart contract, resulting in $223 million being siphoned off, a frozen protocol, and a shocked community.
A surgical attack using a simple flash swap
According to Cetus’ post-mortem report, the exploit stemmed from a verification error in the checked_shlw function of the inter_mate library. The function was supposed to limit inputs to 192 bits but mistakenly validated up to 256 bits. As a result, the attacker could inject massive fake liquidity with minimal tokens, manipulate price ticks, and withdraw the funds across multiple iterations. A clean, swift, and brutal workaround.
Upon detecting the anomaly, the Cetus teams deactivated the CLMM pools in under 30 minutes. However, over 200 million had already vanished, leading to a token plummet on Sui. Within the next hour, validators froze the attacker’s addresses, locking up 162 million on the network. Yet, nearly 60 million had already been converted to USDC and transferred to Ethereum.
Censorship or protection? The debate reignited
The decision to block wallets immediately sparked a debate on the true decentralization of Sui. Some applaud the swift response to minimize damage. Others denounce a dangerous precedent: if a network can freeze funds so quickly, what ensures long-term neutrality?
Recovering funds: on-chain vote and manhunt
Cetus attempted a diplomatic approach. A proposal for restitution without prosecution was sent to the attacker. Radio silence. In response, the protocol introduced a $5 million reward for any information leading to the attacker’s identification and arrest. Simultaneously, an on-chain voting proposal is underway to enable, with community consent, the return of frozen funds to affected users.
Audits, bug bounties, and monitoring: Cetus seeks to reassure
Behind the scenes, Cetus is working to restore trust. Multi-party audits, enhanced real-time monitoring, publication of test coverage rates, and an enhanced bug bounty program are all in place to prevent a repeat incident. The redeployment of CLMM pools will only occur after full validation with security partners.
