Blockchain security firm Dedaub released a post-mortem report on the Cetus decentralized exchange hack, identifying the root cause of the attack as an exploit of the liquidity parameters used by the Cetus automated market maker (AMM), which went undetected by a code “overflow” check.
According to the report, the hackers exploited a flaw in the most significant bits (MSB) check, allowing them to manipulate the values for the liquidity parameters by orders of magnitude and establish relatively large positions with a keystroke. The Dedaub security researchers wrote:
“This allowed them to add massive liquidity positions with just one unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of tokens.”
The incident and the post-mortem update reflect the unfortunate trend of cybersecurity exploits and hacks impacting crypto and the Web3 industry.
Executives in the industry have continually warned that industry firms must establish safeguards and protect users before regulators clamp down and impose safeguards on the industry.
Related: Twice lucky? Cetus’ recovery plan on Sui mirrors a Solana blueprint
The Cetus decentralized exchange hacked, triggering $223 million in losses
On May 22, the Cetus exchange was hacked, causing $223 million in user losses within a 24-hour period.
Cetus and the Sui Foundation also announced that Sui network validators froze a majority of the stolen assets.
$163 million of the $223 million was frozen by validators and ecosystem partners on the same day as the hack, according to the Cetus team.
Response draws criticisms and allegations of centralization
The decision to freeze the stolen funds drew mixed reactions from the crypto community, with decentralization advocates criticizing the validators for stepping in and controlling the chain.
“Sui validators are actively censoring transactions across the blockchain,” one user wrote on X, echoing many other posts.
“This completely undermines the principles of decentralization and transforms the network into nothing more than a centralized, permissioned database,” the post continued.
“It’s interesting how many Web3 projects backed by VCs lean heavily on centralization, despite borrowing Bitcoin’s ethos,” Steve Bowyer wrote in a May 23 X post.
Magazine: Fake Rabby Wallet scam linked to Dubai crypto CEO and many more victims
