The Cetus attacker exploited a simple vulnerability in an overflow check within the project’s liquidity calculation function. The attack began with a flash loan, followed by taking out a position on Cetus with a tick range of [300000, 300200]. This is a tiny range, which is important when the protocol performs calculations to determine the number of tokens that the user needs to deposit to get their liquidity.

The vulnerability was in the protocol’s checked_shlw function, which is used to determine if an overflow would occur if a value is shifted left by one 64-bit word. While the Move programming language protects against overflows by most operations, bit shifts are intentionally permitted to create overflows, making this check necessary.

However, the implementation of checked_shlw was flawed, comparing the provided value to 0xFFFFFFFFFFFFFFFF << 192 rather than 0x1<< 192. The value 0x1<< 192 is the smallest value that cannot be safely shifted left by 64 bits without an overflow, so testing against it makes sense. The value used by Cetus, on the other hand, is well above this threshold, permitting some values that would create an overflow to pass the check.

The attacker exploited this fact by selecting a liquidity value that would pass the overflow check but create an overflow during the liquidity calculations. As a result, the liquidity calculation experienced an overflow, causing the calculation of the number of tokens needed to claim liquidity to come out to one.

When the user deposited their one token, they were assigned the original, large amount of liquidity. By extracting this liquidity across a few transactions, the attacker was able to drain an estimated $223 million from the DEX.

The Cetus hack shows the potentially devastating impacts of mathematical errors and the importance of verifying all test code. In this case, a single incorrect number in the checked_shlw function undermined the overflow protections and permitted an attacker to drain all liquidity from the protocol.

This incident also highlights the importance of security audits with a deep understanding of how smart contract platforms and languages work. While Cetus has undergone multiple audits, this issue was never caught, potentially due to the belief that overflows are never a risk in Move. However, the potential for overflows during bit shifts and an incorrect test case left the protocol vulnerable to attack.

Halborn has deep expertise in numerous blockchain platforms and offers secure design and red teaming services intended to help address these types of vulnerabilities before they can be exploited by an attacker. To learn more about how to protect your protocol with Halborn, get in touch.