On May 22, according to community news, Cetus, a liquidity provider in the SUI ecosystem, was suspected of being attacked, the depth of the liquidity pool dropped significantly, and multiple token trading pairs on Cetus fell, with an estimated loss of more than 230 million US dollars. Subsequently, Cetus issued an announcement saying: "An incident was detected in our protocol. For safety reasons, the smart contract has been temporarily suspended. At present, the team is investigating the incident. We will issue a further investigation statement soon."
After the incident, the SlowMist security team intervened in the analysis and issued a security reminder. The following is a detailed analysis of the attack method and fund transfer.
(https://x.com/CetusProtocol/status/1925515662346404024)
One of the attack transactions:
https://suiscan.xyz/mainnet/tx/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x
Attacker address:
0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06
(Attack sequence diagram)
Tick Lower limit: 300000 (price: 60,257,519,765,924,248,467,716,150)
Tick upper limit: 300200 (price: 60,863,087,478,126,617,965,993,239)
Price range width: only 1.00496621%
Let's analyze why the attacker was able to exchange huge liquidity with 1 Token. The core reason is that there is an overflow detection bypass vulnerability in the checked_shlw in the get_delta_a function. The attacker took advantage of this and caused a serious deviation in the system's calculation of how much haSUI actually needed to be added. Because the overflow was not detected, the system misjudged the amount of haSUI required, resulting in the attacker only needing a few tokens to exchange for a large amount of liquid assets, thus achieving the attack.
When the system calculates how much haSUI is needed to add such a huge amount of liquidity:
The key here is that the implementation of the checked_shlw function is seriously flawed. In fact, any input value less than 0xffffffffffffffff << 192 will bypass the overflow detection. However, when these values are shifted left by 64 bits, the result exceeds the representation range of u256, and the high-order data is truncated, resulting in a result much smaller than the theoretical value. As a result, the system underestimates the number of haSUI required in subsequent calculations.
Error mask: 0xffffffffffffffff << 192 = a very large value (about 2^256-2^192)
Almost all inputs are smaller than this mask, bypassing overflow detection
The real problem: when n >= 2^192 , n << 64 will exceed the u256 range and be truncated
The attacker constructed an intermediate value liquidity * sqrt_price_diff = 6277101735386680763835789423207666908085499738337898853712:
is smaller than the error mask, bypassing the overflow detection
but after being left shifted 64 bits, it will exceed the u256 maximum value, resulting in the excess part being truncated
left;">The final calculation result is approximately less than 1, but because it is rounded up, the quotation is equal to 1
4. Finally, the attacker removed the liquidity and obtained huge token income:
First removal: 10,024,321.28 haSUI
Second removal: Obtained 1 haSUI
Third removal: Obtained 10,024,321.28 haSUI
5. The attacker returned the flash loan, with a net profit of approximately 10,024,321.28 haSUI and 5,765,124.79 SUI, and the attack was completed.
After the attack, Cetus released a repair patch. For specific repair code, please refer to: https://github.com/CetusProtocol/integer-mate/pull/7/files#diff-c04eb6ebebbabb80342cd953bc63925e1c1cdc7ae1fb572f4aad240288a69409.
The repaired checked_shlw function is as follows:
Repair instructions:
Correct the incorrect mask 0xffffffffffffffff << 192 to the correct threshold 1 << 192
Correct the judgment condition from n > mask to n >= mask
Ensure that when the left shift of 64 bits may cause overflow, the overflow flag can be correctly detected and returned
According to analysis, the attacker 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06 made a profit of approximately US$230 million, including SUI, vSUI, USDC and other assets.
We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:
We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:
We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:
We found that the attacker prepared the Gas Fee two days ago, and then made an attempt before the attack, but failed:
style="text-align:center">
Among them, 5.2341 WBNB cross-chain to BSC address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b:
The attacker will also 24,022,896 SUI Transfer to new address 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562, not transferred out yet:
Fortunately, according to Cetus, with the cooperation of the SUI Foundation and other ecosystem members, the stolen funds of US$162 million on SUI have been successfully frozen.
(https://x.com/CetusProtocol/status/1925567348586815622)
Next, we use the on-chain anti-money laundering and tracking tool MistTrack to analyze the address 0x89012a55cd6b88e407c9d4ae9b3425f55924919b on the EVM that receives cross-chain funds.
This address received 5.2319 BNB on BSC and has not yet transferred it out:
This address received 3,000 on Ethereum USDT, 40.88 million USDC, 1,771 SOL and 8,130.4 ETH.
Among them, USDT, USDC and SOL are exchanged for ETH through coW Swap, ParaSwap, etc.:
Next, the address will transfer 20,000 ETH to the address 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16, not transferred out yet:
The current balance of this address on Ethereum is 3,244 ETH:
MistTrack has added the above related addresses to the malicious address library. At the same time, we will continue to monitor the address balance.
This attack demonstrates the power of math overflow vulnerabilities. The attacker selected specific parameters through precise calculations and exploited the defects of the checked_shlw function to obtain billions of liquidity at the cost of 1 token. This is an extremely sophisticated math attack. The SlowMist Security Team recommends that developers strictly verify the boundary conditions of all math functions in smart contract development.
Israeli authorities have taken strong measures to shut down cryptocurrency accounts and seize substantial digital assets to cut off financial ties between the crypto markets and Hamas, as a response to the group's attacks on Israel
JixuThe Shanghai Municipal Government has unveiled a comprehensive plan, titled the "Shanghai City Action Plan for Advancing New Infrastructure Construction (2023-2026)". This initiative seeks to revolutionise the city's infrastructure and services by harnessing the potential of emerging technologies such as artificial intelligence, blockchain, 5G, and digital twins.
JoyIn March, the investment company, which operates as an affiliate of Digital Wave Finance (DWF), entered the Orbs ecosystem through a token purchase of up to $10 million.
DavinAptos, a blockchain network, encountered a significant outage lasting over five hours on October 18, 2023, as it celebrated its one-year anniversary.
JasperA survey found that 41% of respondents would prefer not to hold virtual assets, and only 20% want to hold virtual assets in the future
ClementRipple executives have been absolved of the charges previously levied against them but the journey continues as Ripple and the SEC must settle on remedies for institutional XRP sale violations.
CatherineBinance has formalised agreements with new fiat partners for EUR payments, deposits, and withdrawals but the new service providers involved in this collaboration were not disclosed.
KikyoThis funding will be split between the University at Albany (UAlbany) and the State University of New York (SUNY), signifying a pivotal move towards establishing New York as a leading force in AI innovation and education.
JasperAfter the recent withdrawal of Paysafe, leading cryptocurrency exchange Binance has announced a strategic collaboration with new fiat partners to cater to its Euro services.
Hui XinThe exploiter behind the exploit of BH token on 11 October, continued to evade scrutiny by discreetly depositing a total of 1,500 BNB into Tornado Cash on 19 October.
Catherine