The May 2025 Cetus Protocol exploit, which resulted in a $223 million loss, was not caused by a flaw in Cetus’s own contract logic. It was triggered by a bug in a shared third-party math library called integer-mate, used across multiple DeFi protocols on the Sui blockchain. This distinction matters enormously. It means that the security of a DeFi protocol depends not only on its own code but on every external library it imports — and the industry is only beginning to reckon with this reality.
The Threat Landscape
Modern DeFi protocols are not monolithic codebases. They are compositions of multiple libraries, oracles, token standards, and infrastructure components. The Cetus Protocol, a concentrated liquidity DEX on Sui, relied on the integer-mate library for fixed-point math operations — specifically a function called checked_shlw that was supposed to safely handle 256-bit shift-left scaling during liquidity calculations.
The function contained an incorrect overflow condition. When certain large values were passed through it, the check failed to abort the operation, allowing a truncated value to proceed through the calculation pipeline. This corrupted intermediate was then used to compute liquidity token deltas, enabling an attacker to mint massive liquidity positions for negligible deposits and withdraw real reserves at full value.
The attacker executed the entire sequence across multiple pools in under 15 minutes. Approximately $60 million was bridged to Ethereum via Wormhole before the protocol could respond, while roughly $162 million was frozen on Sui through emergency validator coordination.
Core Principles
The Cetus incident reveals a fundamental principle that the DeFi industry has been slow to internalize: your security is only as strong as your weakest dependency. Several core security principles emerge from this analysis.
First, dependency auditing must be as rigorous as primary code auditing. Protocols routinely spend hundreds of thousands of dollars auditing their own contracts while importing libraries that have received minimal scrutiny. The integer-mate library was open-source and publicly available, yet the critical flaw in checked_shlw went undetected despite being used by multiple protocols.
Second, shared libraries create shared vulnerabilities. When the integer-mate bug was discovered, it was not just Cetus that was affected. Protocols including Kriya, Momentum, and Bluefin were identified as having related exposure. A single library bug can cascade across an entire ecosystem simultaneously, creating systemic risk that individual protocol audits cannot address.
Third, the composability that makes DeFi powerful also makes it fragile. Protocols that share dependencies are implicitly correlated in their risk profiles. Two protocols that appear independent from the outside may share identical vulnerabilities through a common library.
Tooling & Setup
Addressing shared library risk requires a multi-layered approach to dependency management. Protocol developers should implement the following tooling and practices.
Static analysis tools can be configured to trace data flow through imported libraries, flagging functions that handle critical financial calculations. Formal verification — mathematically proving that a function behaves correctly for all possible inputs — should be applied to any library function that touches token accounting or price calculations. The Cetus overflow would have been caught by a formal verification pass on checked_shlw.
Dependency pinning and change monitoring ensure that protocols are aware of exactly which version of each library they are using and are notified when updates are available. Fuzz testing library functions with extreme inputs — values near the boundaries of integer representation — can surface overflow and underflow conditions that normal testing misses.
Cross-protocol security coordination is also essential. Bug bounty programs should explicitly include imported libraries in their scope. Security researchers should be incentivized to audit shared infrastructure, not just individual protocol contracts.
Ongoing Vigilance
The DeFi security landscape is evolving rapidly, but the shared library problem is structural. As long as protocols compose their systems from reusable components — which is a software engineering best practice — the risk of shared vulnerabilities will persist.
The Cetus incident prompted Sui validators to coordinate an emergency response, voting with 90.9% of stake to reclaim frozen funds through an on-chain governance mechanism. While this response was successful, it relied on centralized coordination among validators — a dynamic that conflicts with the decentralized ethos of the ecosystem.
Going forward, the industry needs shared security infrastructure: communal audit repositories for commonly-used libraries, automated alert systems that notify all dependent protocols when a vulnerability is discovered, and standardized testing frameworks that make it easy to verify library behavior at the integration layer.
Final Takeaway
The $223 million lost to the Cetus exploit was not a failure of individual protocol security. It was a failure of ecosystem security. The bug was in a shared library, and the impact cascaded across multiple protocols simultaneously. As DeFi continues to mature, the industry must invest in shared security infrastructure that protects not just individual protocols but the dependencies they all rely on. The next major exploit will likely come from a library, not a contract — and the question is whether we will be ready for it.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals.
$60M bridged to ETH in 15 minutes and nobody could stop it. the speed of these exploits is what makes shared library bugs so devastating
trashpanda42 15 minutes and 60M gone through a shared lib nobody audited. the speed plus the dependency blind spot makes this the most dangerous exploit class in defi right now
60M in 15 minutes because the bug was in a shared lib. Cetus could not have caught it in their own audit even if they tried. the threat model is fundamentally broken
the dependency auditing point cannot be overstated. protocols spend hundreds of thousands on their own audits then import a math library nobody has reviewed. thats like fortifying your front door while leaving the back window open
^ perfect analogy. and the Sui ecosystem specifically has a small pool of shared libs so one bug hits multiple protocols simultaneously
laserbeam and its not just Sui. every ecosystem has shared math libs, token standards, and oracle integrations that get imported without review. the attack surface is massive
exactly. the NPM ecosystem had the same problem for years. left-pad incident but with real money on the line