Cetus: The $223M Concentrated Liquidity Overflow Bypass (May 2025)

On May 22, 2025, Cetus Protocol—the leading concentrated liquidity market maker (CLMM) on the Sui blockchain—suffered one of the largest DeFi exploits in history, losing approximately $223 million. This incident serves as a critical case study in the dangers of custom arithmetic libraries and overflow check bypasses in high-precision financial math.

Technical Overview

CLMMs like Cetus rely on complex high-precision mathematics to manage liquidity across narrow price ranges (ticks). To handle the huge numbers involved without losing precision, Cetus implemented its own mathematical library in Move (clmm_math.move).

A core requirement of these protocols is to calculate "delta" values—how much of Token A or B is required to mint a certain amount of liquidity. The vulnerability resided in the get_delta_a function, which utilized a custom overflow-checking bit-shift function called checked_shlw.

Exploit Mechanism: The Flawed Shifter

The attacker identified a logical flaw in the implementation of the checked_shlw function, which was designed to determine if a value would overflow when shifted left by 64 bits.

1. The Bypass: The checked_shlw function was intended to prevent values from exceeding a 192-bit internal limit. However, the logic contained an edge case where it failed to reject specific large input values.
2. The Silent Overflow: Because the check bypassed the security revert, the subsequent bit-shift operation overflowed silently at the runtime level.
3. The "1-Token" Price: This overflow caused the result of the numerator calculation in get_delta_a to wrap around to a very small number. When divided by the denominator (based on price ticks), the function returned 1, indicating that only 1 unit of Token A was required to provide a massive, near-infinite amount of liquidity.
4. The Mint & Drain:
   • The attacker called the liquidity provision function with the crafted parameters.
   • The protocol accepted 1 token and minted the attacker a massive amount of liquidity shares.
   • The attacker then immediately exited the position, swapping the "fake" liquidity shares for the protocol’s actual reserve assets (SUI, USDC, etc.).
5. Exfiltration: Approximately $60 million was bridged out of the Sui network immediately, while the remaining $160+ million was frozen following emergency intervention by the Sui Foundation and exchange partners.

Why This Matters (The "High-Precision" Trap)

The Cetus exploit demonstrates that Language Safety is not Logic Safety. Move is praised for its resource-oriented security and "Resource-Safe" model, which prevents reentrancy and unauthorized minting at a structural level. However, a protocol-level logic error in an arithmetic library can still invalidate the entire economic model.

Mitigation Strategies

• Favor Battle-Tested Libraries: Protocols should utilize standard, multi-audited math libraries (like fixed-point math provided by the core language team) rather than implementing custom bit-shifting or overflow logic.
• Formal Verification of Math Invariants: Critical functions like get_delta_a should be subject to formal verification (using the Move Prover) to prove that the result of the calculation can never decrease when the input liquidity increases.
• Quantization Fuzzing: Automated tests should specifically target the upper bounds of all numerical types, looking for "wraparound" states where massive inputs result in minimal capital requirements.
• Circuit Breaker for Relative Value: Implement block-level monitoring that compares total pool value before and after a significant liquidity event. A 99% shift in pool solvency in a single transaction should trigger an automatic emergency halt.

Conclusion

The $223M Cetus hike is a sobering reminder that the "Gold Standard" of smart contract security is only as good as the underlying math. For researchers and threat hunters, arithmetic edge cases in non-EVM chains like Sui and Aptos represent one of the most fruitful frontiers for discovering critical protocol vulnerabilities.