The decentralized finance ecosystem suffered one of its most technically sophisticated exploits on May 22, 2025, when Cetus Protocol — the largest decentralized exchange and liquidity provider on the Sui blockchain — was drained of approximately $223 million in digital assets. With Bitcoin trading at $109,035 and Ethereum at $2,552 at the time, the attack sent shockwaves through the Sui ecosystem and beyond, wiping out nearly half of the network’s total value locked in a matter of minutes.
The breach was not the result of a compromised private key or a social engineering scheme. It was a white-box exploit rooted in a single flawed function in an open-source mathematical library — a vulnerability that evaded multiple audits and security reviews before being weaponized by a sophisticated attacker.
The Exploit Mechanics
At the heart of the Cetus Protocol lies its Concentrated Liquidity Market Maker, or CLMM, engine. Similar to Uniswap v3’s design on Ethereum, the CLMM allows liquidity providers to allocate capital within specific price tick ranges rather than across the entire price curve. This architecture dramatically improves capital efficiency but introduces complex fixed-point arithmetic operations that must be mathematically precise.
The vulnerability resided in the checked_shlw function within the integer-mate library, an open-source u256 math utility used throughout Cetus’s CLMM calculations. This function was supposed to perform a safe left-shift operation by 64 bits, with overflow detection. However, the overflow boundary condition was incorrect, allowing certain intermediate values to pass through the check and produce truncated, inaccurate results when shifted.
The attacker exploited this flaw through a carefully orchestrated sequence. First, they sourced temporary balances using flash-style liquidity, enabling the entire attack to execute atomically within a single transaction. They then opened a concentrated liquidity position within a very narrow tick range — approximately 200 ticks wide — and called the add_liquidity function. Because of the overflow bypass in checked_shlw, the token-delta calculation dramatically undercharged the required deposit while crediting an astronomical amount of liquidity to the attacker’s position.
The math was devastatingly simple in its effect: the attacker deposited a negligible amount of tokens but received liquidity equivalent to the pool’s entire reserves. They then immediately called remove_liquidity, repaid the flash component, and walked away with the remainder as pure profit.
Affected Systems
The exploit cascaded across Cetus Protocol’s entire liquidity infrastructure. Multiple CLMM pools were drained in rapid succession as the attacker repeated the attack pattern. Approximately $60 million worth of stolen assets were quickly bridged to Ethereum, while roughly $162 million remained on the Sui network and was frozen by validators before it could be moved off-chain.
The impact extended far beyond Cetus itself. As the protocol’s liquidity evaporated, the Sui ecosystem experienced a cascading failure. USDC liquidity practically disappeared, routing across decentralized exchanges degraded severely, and numerous ecosystem tokens experienced extreme drawdowns within minutes. The Sui network’s total value locked dropped from approximately $300 million to a fraction of that figure almost instantly.
Projects building on top of Cetus — including lending protocols, yield aggregators, and cross-chain bridges — found themselves operating in a liquidity vacuum. Automated market maker routers could not find sufficient liquidity to execute trades, causing widespread failures across the decentralized finance stack on Sui.
The Mitigation Strategy
Cetus Protocol responded to the exploit with an emergency shutdown of its router contract and affected liquidity pools within minutes of detecting the abnormal activity. The Sui Foundation coordinated with network validators to freeze the approximately $162 million in stolen funds that remained on-chain, preventing the attacker from bridging them to other networks.
Security firms including Dedaub, PeckShield, and SlowMist conducted rapid analyses of the exploit, confirming the root cause within hours. The integer-mate library’s checked_shlw function was identified as the critical failure point, and patches were developed to correct the overflow boundary condition.
The recovery effort involved on-chain negotiations with the attacker, who was offered a white-hat bounty in exchange for returning the remaining stolen funds. Cetus Protocol ultimately recovered $162 million of the $223 million lost, though $60 million bridged to Ethereum proved more difficult to recover.
Lessons Learned
The Cetus exploit underscores a fundamental truth about decentralized finance: the complexity of concentrated liquidity arithmetic creates attack surfaces that are difficult to audit comprehensively. Fixed-point math operations, particularly those involving 256-bit integers and bitwise shifts, require exhaustive testing with boundary values that push the limits of the data type.
Open-source dependencies, while beneficial for transparency, carry their own risks. The integer-mate library was publicly available and presumably reviewed by multiple parties, yet the flawed overflow check went undetected until it was exploited. This highlights the need for formal verification of critical mathematical functions, particularly those that guard financial calculations in decentralized protocols.
The speed of the attack — executing atomically within a single transaction — also demonstrates the limitations of real-time monitoring. By the time on-chain analytics platforms like Cyvers detected the anomalous transactions, the damage was already done. Preventive measures, not reactive ones, must be the primary defense against these types of exploits.
User Action Required
For users who had funds deposited in Cetus Protocol at the time of the exploit, the immediate priority is to monitor official communications from the Cetus team regarding the recovery process and any compensation plans. The $162 million in frozen funds is being processed for return to affected liquidity providers, though the timeline and mechanics of this distribution remain under development.
More broadly, this incident serves as a reminder to diversify across protocols and chains. No single decentralized exchange, regardless of its audit history or TVL, should be the sole repository for significant crypto holdings. Users should regularly assess the concentration risk in their DeFi positions and consider spreading liquidity across multiple venues.
Finally, users should pay close attention to protocol upgrade notifications and security advisories. When a critical vulnerability is identified and patched, prompt action to review and adjust positions can mean the difference between safety and catastrophic loss.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
flash loan to drain 223M from a CLMM. sui TVL cut in half in minutes. the attacker literally did math better than the auditors
checked_shlw passing overflow boundary is a textbook off by one. the kind of bug that survives reviews because everyone assumes the obvious check is correct
sui TVL went from $450M to half that in minutes because of a math bug. blockchain security is a hard problem and we keep learning the same lessons
This level of vulnerability is terrifying. If multiple audits missed a u256 overflow, how can we trust any concentrated liquidity protocol?
cant trust concentrated liquidity. the checked_shlw bug was one function in a library used by every pool. its a systemic risk for all CLMM protocols
multiple audits missed a u256 overflow in a math library. this is why open source isnt a security silver bullet. someone still has to actually read the code
open source means anyone CAN read it. doesnt mean anyone DOES. the audit firms charged six figures and still missed a basic integer overflow