After the attack on Cetus on SUI, let's make a comprehensive understanding of SUI. This article is jointly published by Aquarius Capital and Klein Labs, especially thanks to the NAVI Protocol, Bucket Protocol and other ecological projects and Comma3 Ventures for their technical guidance and support in the research process. How will the Sui Foundation release the $160 million frozen from hackers? (Background added: What do the victims of the Cetus hack think?) The Sui team demanded a commitment to "full repayment" with two key conditions (TL); DR 1.Cetus vulnerability originates from the contract implementation, not from the SUI or Move language itself: The root cause of this attack lies in the missing boundary check of arithmetic functions in the Cetus protocol - a logic vulnerability caused by too wide a mask and a displacement overflow, which has nothing to do with the SUI chain or the resource security model of the Move language. Vulnerabilities can be fixed with "one-line boundary check" without affecting the core security of the entire ecosystem. 2. "Rational centralization" in the SUI mechanism shows value in crisis: Although SUI has a slight tendency to centralize features such as DPoS validator rounds and blacklist freezes, this comes in handy in CETUS incident response: validators quickly synchronize malicious addresses to the Deny List, refuse to package related transactions, and achieve an instant freeze of more than $160 million in funds. This is essentially a positive "on-chain Keynesianism", and effective macro-control has played a positive role in the economic system. 3. Reflection and suggestions on technical safety: Mathematics and boundary verification: Introduce upper and lower limit assertions for all key arithmetic operations (such as displacement, multiplication and division), and perform extreme value fuzzing and formal verification. In addition, it is necessary to enhance auditing and monitoring: in addition to general code auditing, add a professional mathematical audit team and real-time on-chain transaction behavior detection to catch abnormal splits or large flash loans as early as possible; 4. Summary and suggestions of the funding guarantee mechanism: In the Cetus incident, SUI and the project team collaborated efficiently to successfully freeze more than US$160 million in funds and promote a 100% compensation plan, reflecting strong on-chain resilience and ecological responsibility. The SUI Foundation also provided an additional $10 million in audit funding to strengthen the security line. In the future, we can further promote mechanisms such as on-chain tracking systems, community-built security tools, and decentralized insurance, and improve the fund protection system. 5. Diversified expansion of SUI ecosystem SUI has quickly realized the transition from "new chain" to "strong ecology" in less than two years, and has built a diversified ecological territory covering stablecoins, DEX, infrastructure, DePINs, games and other tracks. The total size of stablecoins exceeded $1 billion, providing a solid liquidity foundation for DeFi modules; TVL ranks 8th in the world, 5th in trading activity, and 3rd in non-EVM networks (behind Bitcoin and Solana), demonstrating strong user engagement and asset immersion. 1. The ripple effect of an attack On May 22, 2025, Cetus, the head AMM protocol deployed on the SUI network, was hacked, exploiting a logic vulnerability related to the "integer overflow problem" to launch precise manipulation, resulting in the loss of more than $200 million in assets. This incident is not only one of the largest security incidents in the DeFi space so far this year, but also the most destructive hack since the launch of the SUI mainnet. According to DefiLlama data, SUI's full-chain TVL plummeted by more than $330 million on the day of the attack, and the Cetus protocol's own lock-up amount instantly evaporated by 84% to $38 million. Affected by the cascade, popular tokens on multiple SUIs (including Lofi, Sudeng, Squirtle, etc.) plummeted by 76% to 97% in just one hour, triggering widespread concern about the safety and ecological stability of SUIs. But after this shockwave, the SUI ecosystem has shown strong resilience and resilience. Although the Cetus incident has brought confidence fluctuations in the short term, on-chain funds and user activity have not suffered a sustained decline, but have promoted the entire ecosystem to pay attention to safety, infrastructure construction and project quality. Klein Labs will focus on the cause of this attack, the node consensus mechanism of SUI, the security of the MOVE language and the ecological development of SUI, sort out the current ecological pattern of this public chain that is still in the early stage of development, and explore its future development potential. 2. Analysis of the causes of the Cetus incident 2.1 Attack implementation process According to the technical analysis of the Cetus attack by the Slow Mist team, the hackers successfully exploited a key arithmetic spillover vulnerability in the protocol and stole more than $200 million in digital assets in a short period of time with the help of flash loans, precise price manipulation and contract defects. The attack path can be roughly divided into the following three stages: (1) Launch flash loans and manipulate prices Hackers first use the maximum slippage flash exchange of 10 billion haSUI flash loans to lend a large amount of money and carry out price manipulation. Flash loans allow users to borrow and return funds in the same transaction with only a fee, with high leverage, low risk, and low cost. Hackers used this mechanism to pull down the market price in a short period of time and precisely control it in an extremely narrow range. The attacker then prepares to create an extremely narrow liquidity position, setting the price range precisely between the lowest price of 300,000 ( and the maximum price of 300,200) with a price width of only 1.00496621%. Through the above methods, hackers successfully manipulated the haSUI price by using a large enough number of tokens and huge liquidity. Subsequently, they manipulated several tokens with no real value. (2) Add liquidity The attacker creates a narrow liquidity position, declares to add liquidity, but due to the vulnerability of the checked_shlw function, only 1 token is charged in the end. This is essentially due to two reasons: The mask is set too widely: it is equivalent to a huge upper limit on liquidity, resulting in the verification of user input in the contract being useless. Hackers bypassed overflow detection by setting exception parameters so that the input is always below that upper limit. Data overflow truncated: When performing a shift operation on the value n << 64, data truncation occurred because the shift exceeded the effective bit width (256 bits) of the uint256 data type. The high overflow is automatically discarded, resulting in much lower than expected results, causing the system to underestimate the amount of haSUI required for conversion. The final calculation result is about less than 1, but because it is rounded up, the final calculation is equal to 1, that is, the hacker only needs to add 1 token to exchange for huge liquidity. (3) Withdraw liquidity Make flash loan repayments and retain huge profits. Eventually, hundreds of millions of dollars worth of token assets were siphoned off from multiple liquidity pools. The loss of funds was severe, and the attack resulted in the theft of the following assets: 12.9 million SUIs (approximately $54 million) $60 million USDC $4.9 million Haedal Staked SUI $19.5 million TOILET Other generations...
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Source of faith after the hack: Why does SUI still have long-term rise potential?
After the attack on Cetus on SUI, let's make a comprehensive understanding of SUI. This article is jointly published by Aquarius Capital and Klein Labs, especially thanks to the NAVI Protocol, Bucket Protocol and other ecological projects and Comma3 Ventures for their technical guidance and support in the research process. How will the Sui Foundation release the $160 million frozen from hackers? (Background added: What do the victims of the Cetus hack think?) The Sui team demanded a commitment to "full repayment" with two key conditions (TL); DR 1.Cetus vulnerability originates from the contract implementation, not from the SUI or Move language itself: The root cause of this attack lies in the missing boundary check of arithmetic functions in the Cetus protocol - a logic vulnerability caused by too wide a mask and a displacement overflow, which has nothing to do with the SUI chain or the resource security model of the Move language. Vulnerabilities can be fixed with "one-line boundary check" without affecting the core security of the entire ecosystem. 2. "Rational centralization" in the SUI mechanism shows value in crisis: Although SUI has a slight tendency to centralize features such as DPoS validator rounds and blacklist freezes, this comes in handy in CETUS incident response: validators quickly synchronize malicious addresses to the Deny List, refuse to package related transactions, and achieve an instant freeze of more than $160 million in funds. This is essentially a positive "on-chain Keynesianism", and effective macro-control has played a positive role in the economic system. 3. Reflection and suggestions on technical safety: Mathematics and boundary verification: Introduce upper and lower limit assertions for all key arithmetic operations (such as displacement, multiplication and division), and perform extreme value fuzzing and formal verification. In addition, it is necessary to enhance auditing and monitoring: in addition to general code auditing, add a professional mathematical audit team and real-time on-chain transaction behavior detection to catch abnormal splits or large flash loans as early as possible; 4. Summary and suggestions of the funding guarantee mechanism: In the Cetus incident, SUI and the project team collaborated efficiently to successfully freeze more than US$160 million in funds and promote a 100% compensation plan, reflecting strong on-chain resilience and ecological responsibility. The SUI Foundation also provided an additional $10 million in audit funding to strengthen the security line. In the future, we can further promote mechanisms such as on-chain tracking systems, community-built security tools, and decentralized insurance, and improve the fund protection system. 5. Diversified expansion of SUI ecosystem SUI has quickly realized the transition from "new chain" to "strong ecology" in less than two years, and has built a diversified ecological territory covering stablecoins, DEX, infrastructure, DePINs, games and other tracks. The total size of stablecoins exceeded $1 billion, providing a solid liquidity foundation for DeFi modules; TVL ranks 8th in the world, 5th in trading activity, and 3rd in non-EVM networks (behind Bitcoin and Solana), demonstrating strong user engagement and asset immersion. 1. The ripple effect of an attack On May 22, 2025, Cetus, the head AMM protocol deployed on the SUI network, was hacked, exploiting a logic vulnerability related to the "integer overflow problem" to launch precise manipulation, resulting in the loss of more than $200 million in assets. This incident is not only one of the largest security incidents in the DeFi space so far this year, but also the most destructive hack since the launch of the SUI mainnet. According to DefiLlama data, SUI's full-chain TVL plummeted by more than $330 million on the day of the attack, and the Cetus protocol's own lock-up amount instantly evaporated by 84% to $38 million. Affected by the cascade, popular tokens on multiple SUIs (including Lofi, Sudeng, Squirtle, etc.) plummeted by 76% to 97% in just one hour, triggering widespread concern about the safety and ecological stability of SUIs. But after this shockwave, the SUI ecosystem has shown strong resilience and resilience. Although the Cetus incident has brought confidence fluctuations in the short term, on-chain funds and user activity have not suffered a sustained decline, but have promoted the entire ecosystem to pay attention to safety, infrastructure construction and project quality. Klein Labs will focus on the cause of this attack, the node consensus mechanism of SUI, the security of the MOVE language and the ecological development of SUI, sort out the current ecological pattern of this public chain that is still in the early stage of development, and explore its future development potential. 2. Analysis of the causes of the Cetus incident 2.1 Attack implementation process According to the technical analysis of the Cetus attack by the Slow Mist team, the hackers successfully exploited a key arithmetic spillover vulnerability in the protocol and stole more than $200 million in digital assets in a short period of time with the help of flash loans, precise price manipulation and contract defects. The attack path can be roughly divided into the following three stages: (1) Launch flash loans and manipulate prices Hackers first use the maximum slippage flash exchange of 10 billion haSUI flash loans to lend a large amount of money and carry out price manipulation. Flash loans allow users to borrow and return funds in the same transaction with only a fee, with high leverage, low risk, and low cost. Hackers used this mechanism to pull down the market price in a short period of time and precisely control it in an extremely narrow range. The attacker then prepares to create an extremely narrow liquidity position, setting the price range precisely between the lowest price of 300,000 ( and the maximum price of 300,200) with a price width of only 1.00496621%. Through the above methods, hackers successfully manipulated the haSUI price by using a large enough number of tokens and huge liquidity. Subsequently, they manipulated several tokens with no real value. (2) Add liquidity The attacker creates a narrow liquidity position, declares to add liquidity, but due to the vulnerability of the checked_shlw function, only 1 token is charged in the end. This is essentially due to two reasons: The mask is set too widely: it is equivalent to a huge upper limit on liquidity, resulting in the verification of user input in the contract being useless. Hackers bypassed overflow detection by setting exception parameters so that the input is always below that upper limit. Data overflow truncated: When performing a shift operation on the value n << 64, data truncation occurred because the shift exceeded the effective bit width (256 bits) of the uint256 data type. The high overflow is automatically discarded, resulting in much lower than expected results, causing the system to underestimate the amount of haSUI required for conversion. The final calculation result is about less than 1, but because it is rounded up, the final calculation is equal to 1, that is, the hacker only needs to add 1 token to exchange for huge liquidity. (3) Withdraw liquidity Make flash loan repayments and retain huge profits. Eventually, hundreds of millions of dollars worth of token assets were siphoned off from multiple liquidity pools. The loss of funds was severe, and the attack resulted in the theft of the following assets: 12.9 million SUIs (approximately $54 million) $60 million USDC $4.9 million Haedal Staked SUI $19.5 million TOILET Other generations...