DeFi Under Fire: How a Math Error in CETUS Protocol Led to a Massive Exploit.
11 comments
DeFi Under Fire: How a Math Error in CETUS Protocol Led to a Massive Exploit.
It is no brainer that where is money, malicious actors will also be there, eyeing the money and trying to seize every opportunity that will help them to deploy their attack vectors to drain the funds. Sometimes phishing is used to lure the user, or in the latest case, hackers are using zero zero-value fund transfer scheme to attack the users. In this case, a little caution by the user will be able to safeguard their funds. But what will happen if the code guarding the fund is itself flawed? Contracts/Code that are now the actual custodian or are supposed to safeguard your funds are the actual weakest link in the safety of your funds.
What exactly is CETUS protocol?
Cetus Protocol is a decentralized finance platform on the SUI blockchain platform. On May 22, the platform was hacked for approximately $223 million in funds. This hack caused the draining of the liquidity platform and few of the memecoins in the SUI blockchain, like AXOL, almost lost their values.
How does the CETUS hack become possible?
Blockchain security firm Dedaub has analyzed to get the root cause of the hack. According to their analysis "overflow" in the mathematical calculation caused this issue.
The attacker exploited a vulnerability that truncates the most significant bits in a liquidity calculation function of Cetus AMM. This calculation is invoked when a user opens an LP position. When opening such position, a user can open a large or small position by specifying a “liquidity” parameter (what fraction of the pool you would like to get in return), and supplying the corresponding amount of tokens. By manipulating the liquidity parameter to an extremely high value, they caused an overflow in the intermediate calculations that went undetected due to a flawed truncation check. This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token.
They have done a very detailed report explaining the mathematical functions, and the exact line of code that caused the issue. If you are really interested in reading all of this, then you should read this detailed report here
How the crypto community got divided after the hack.
SUI blockchain network validators froze the $160 million funds in the attacker's wallets. Since they can freeze the fund, the crypto community is now doubting the decentralization of the SUI platform. If they can freeze the fund, then it is a "centralized" network under the disguise of the "Decentralization".
My 2 cents.
With all the risks and hacks involved in Defi, I am not a big fan of Defi currently. I already outlined the risks in Defi in my earlier posts. With CETUS hack, my fear also came true. I wish that the developer would understand that their code is responsible for the safeguarding the funds of the millions of users. Due to the narrative of crypto in social media that promotes crypto as 100x or 1000x money making scheme overnight, many users put their substantial savings sometime. I wish in this this did not happened.
In the end, I will just say invest in a platform by calculating the risks and rewards, and developers and auditors should perform their job more responsibly.
Posted Using INLEO
Comments