Elygius Fund
Contact Us
The $223 Million Cetus Protocol Hack: How A Simple Bug Cost Everything
Incident ReportJuly 15, 2025

The $223 Million Cetus Protocol Hack: How A Simple Bug Cost Everything

On May 22, 2025, Cetus Protocol — the largest liquidity provider on the Sui blockchain — was drained of approximately $223 million through an exploit targeting a single flawed function in a shared math library. Around $60 million was bridged out to Ethereum within minutes of the attack. The remaining $162 million was frozen on Sui through emergency validator coordination before it could exit. The immediate consequence was a liquidity vacuum across the entire Sui ecosystem: pools were emptied, routing degraded, and prices on Sui-native assets broke violently. USDC liquidity on Sui had effectively disappeared within the first minutes of the attack.

What Cetus Is and Why the Math Matters

Cetus operates as a Concentrated Liquidity Market Maker — a CLMM design modeled closely on Uniswap v3, where liquidity providers deposit assets within specific price tick ranges rather than across the full curve. This design improves capital efficiency but makes correctness fragile. Adding and removing liquidity requires fixed-point arithmetic that converts between tick-bounded positions, current price, and token deltas. That arithmetic depends on a shared utility library called integer-mate, which provides the scaling helpers and checked operations used throughout Cetus's math paths.

The vulnerability lived in one function inside that library.

The Flaw in checked_shlw

The function checked_shlw was designed to make a specific operation safe: shifting a 256-bit integer left by 64 bits during fixed-point scaling calculations for liquidity and token-delta math. In Move, the VM aborts on many overflow conditions — but this safety does not automatically extend to shift-left operations in the way developers commonly assume, which is precisely why explicit checked shift helpers are implemented in the first place.

The overflow condition inside checked_shlw was wrong. It used an incorrect threshold value, which meant some inputs that should have caused the function to abort were instead treated as safe. Those inputs proceeded to the left shift, where they overflowed and produced a corrupted, truncated intermediate value. That corrupted value was then used inside the add-liquidity calculation to determine how many tokens a user was required to deposit.

The result was that the required deposit was computed as an artificially small number while the liquidity credit recorded by the pool remained large. Once the protocol accepted a position minted under that discounted calculation, withdrawing the position paid out real reserves against inflated accounting.

How the Attack Unfolded

The attacker executed the same sequence repeatedly across multiple pools. Each iteration opened a concentrated liquidity position in a very narrow tick range, called add_liquidity in a way that triggered the corrupted scaling path, deposited a negligible amount of tokens while receiving a large liquidity credit, then called remove_liquidity and kept the difference as profit. Flash-style liquidity was used to source temporary balances atomically, ensuring each sequence completed within a single transaction.

The attack was effective because the divergence between the deposit charged and the liquidity credited was not a marginal rounding error — it was large enough that each iteration extracted meaningful value from pool reserves. The process was repeated until the pools were drained.

Recovery and Ecosystem Response

Containment began with Cetus pausing the affected contracts. In parallel, Sui validators coordinated an emergency on-chain action to block attacker-controlled addresses, which is what preserved the majority of the stolen value on Sui rather than allowing a full bridge-out. Cetus then initiated a community governance vote to reclaim the frozen funds — a process in which validators representing 90.9% of stake voted in favor, enabling the frozen assets to be moved into a multisig trust account. Full recovery was backed by Cetus treasury resources and a loan from the Sui Foundation to cover the portion already off-chain.

The vulnerability was not isolated to Cetus. Because the flawed math primitive came from a shared library, other Sui-native protocols — including Kriya, Momentum, and Bluefin — were identified as having related exposure and addressed in the aftermath.

What This Case Demonstrates

Move is frequently described as safe by default because its VM aborts on arithmetic overflows and removes categories of bugs common in other environments. The Cetus exploit demonstrates the limit of that framing. A language's safety properties cover what the language checks. They do not cover the correctness of application-layer math implemented on top of it. A shift-left overflow check that uses the wrong threshold value is a logic error, not an overflow — and no runtime safety guarantee catches a function that executes successfully but computes the wrong answer.

The incident reduced a $223 million loss to a partial recovery precisely because of what happened after the contracts paused: validator coordination, governance mobilization, and an ecosystem-wide audit of shared library exposure. The engineering discipline that matters in a serious incident is not only what was written before the exploit — it is how quickly and coherently the response can be organized after one.

Back to Latest
Elygius Fund

Registered in the Cayman Islands. c/o Maples Corporate Services Limited, PO Box 309, Ugland House, Grand Cayman, KY1-1104.

Authorised and regulated by FCA, No. 308751. Licensed Surplus Lines Broker, FL, No. 0927624. Registered Insurance Intermediary, authorised under section 34, paragraph 1 of the German Trade Regulation Act, No. D-53ZN-NBJZM-71.

Featured In

ZeppelinTrezorCoinCoverZeppelinTrezorCoinCover

© 2026 Elygius Fund || All rights reserved.