Cetus Protocol Exploit: Another Case Study in Crypto’s Security Reckoning
Deja vu hits DeFi as Cetus joins the growing list of protocols learning security lessons the hard way.
Another day, another hack—crypto’s ’move fast and break things’ mantra keeps breaking wallets instead.
While the blockchain doesn’t forget, some teams clearly do when it comes to basic security hygiene.
Remember folks: in crypto, the only thing more predictable than a bull market is someone cutting corners on smart contract audits.
This incident ranks among the largest decentralized finance (DeFi) exploits to date and is particularly galling as according blockchain security firm Dedaub, the security vulnerability at fault was highlighted over two years ago in an earlier Ottersec security audit.
Dedaub conducted a post-mortem analysis revealing that the attackers exploited a critical overflow flaw in Cetus Protocol’s automated market Maker (AMM) logic.
Specifically, the flaw involved an improper handling of large numerical inputs, where a miswritten condition failed to correctly process the most significant bits (MSB) of these inputs. As a result, attackers were able to deposit minimal amounts of tokens while receiving disproportionately large liquidity credits, which they then used to drain substantial assets from the liquidity pools.
This vulnerability was particularly concerning because Dedaub notes that it had previously been identified during an early 2023 audit by another blockchain security firm, Ottersec, when Cetus was operating on the Aptos blockchain. Despite this, the flaw remained unaddressed, highlighting a lapse in the protocol’s security measures.
Immediate Response and Fund Recovery Efforts
In the immediate aftermath of the breach, Cetus Protocol, in collaboration with the sui Foundation and network validators, has done what it can to mitigate the damage. Approximately $163 million of the stolen assets were successfully frozen by Sui network validators and ecosystem partners on the same day as the hack.
Many in the community have criticized the decision to allow nodes to step in and centrally block on-chain activity.
“SUI validators are actively censoring transactions across the blockchain. This completely undermines the principles of decentralization and transforms the network into nothing more than a centralized, permissioned database,” wrote user X @ItsDave_ADA. This and many other comments on the post explaining why the freeze was conducted, have aggressively criticize it.
The incident has sparked a debate within the crypto community regarding the balance between decentralization and security. The decision by Sui network validators to freeze the stolen funds, while effective in mitigating losses, has been criticized by some as undermining the principles of decentralization. To facilitate the recovery of the remaining funds, Cetus proposed an on-chain vote to implement a protocol upgrade aimed at retrieving the frozen assets. Additionally, Cetus has offered a $5 million bounty to the hacker in exchange for the return of the stolen funds.
While the company’s response has been quick and transparent, and their recovery efforts commendable, their post-incident release reads like a case study in the crypto industry’s recurring security challenges.
Cetus proudly states they were “among the DeFi teams on SUI that invested the most in smart contract audits and system safeguards.” This raises an uncomfortable question that has plagued the crypto space for years: if comprehensive auditing was in place, how did this breach occur?
The reality is that multiple audit rounds and widespread use of open-source libraries, while valuable, don’t guarantee security. Cetus admits that these measures gave them “a sense that we had done enough” – a dangerous mindset in cybersecurity where vigilance must be constant. Their acknowledgment that they “allowed ourselves to relax our vigilance” is refreshingly honest, but it highlights a pattern we’ve seen repeatedly across the industry.
The six-point improvement plan Cetus has outlined – real-time monitoring, better risk management, enhanced test coverage, public reporting, regular audits, and expanded bug bounties – are all solid security practices. However, these aren’t revolutionary concepts. They’re foundational security measures that arguably should have been implemented from day one and turned up to 11. Cetus says “many of these measures are already in place, but we will take them further.” Too little, way too late.
The Cetus hack and the recent Coinbase security breach highlight an important problem with crypto security. That is that many, many projects, treat comprehensive security as something to be perfected over time, rather than as afor handling hundreds of millions in user funds.
Cetus’s call for ecosystem-wide collaboration on security is both reasonable and concerning. While community involvement in security is valuable, it shouldn’t serve as a substitute for robust internal security practices. The statement that “safeguarding a DeFi protocol cannot rely solely on the efforts of our team and audit partners” could be interpreted as distributing responsibility rather than taking full ownership. That’s never going to happen guys – you’re on your own.
What makes the Cetus incident particularly noteworthy isn’t its uniqueness, but rather how it fits into a broad recurring pattern. The crypto industry has seen numerous high-profile hacks followed by similar promises of improved security measures. From bridge protocols to exchanges to DeFi platforms, the cycle of breach, response, and pledged improvements has become disappointingly routine.
The Cetus incident serves as another reminder that the crypto industry still has significant work to do in establishing robust security standards. While innovation moves quickly in this space, security practices often lag behind, leaving users vulnerable. The question isn’t whether Cetus will implement their promised improvements – it’s whether the industry as a whole will learn from these repeated lessons before the next major breach occurs. I doubt it will.
