Cetus Protocol Exploit Triggers $223M Loss: Overflow Flaw Blamed for Massive DeFi Breach

On May 22, attackers exploited a critical vulnerability in Cetus Protocol’s automated market maker (AMM) logic, resulting in over $223 million in losses.

Overflow Bug at the Core

According to a post-mortem report by blockchain security firm Dedaub, the breach stemmed from a mathematical overflow flaw. The issue allowed attackers to manipulate liquidity pools by taking advantage of how the protocol processed large numbers.

Instead of properly rejecting oversized inputs, the system truncated them. This led to a serious miscalculation in liquidity values. In practice, the flaw let the attacker deposit a single token but receive a massive credit in return. They then used this inflated position to drain real assets from the pools.

“This incident represents one of the most significant DeFi exploits in recent history,” said Dedaub. The firm emphasized that overflow handling, often an afterthought in smart contract math, needs rigorous testing — especially when dealing with large inputs or complex logic.

A Known Risk That Slipped Through

The flaw had previously been flagged. Ottersec, another blockchain security firm, identified a similar vulnerability during an early 2023 audit of Cetus’s codebase when it was still operating on the Aptos blockchain.

Despite an attempted fix during the migration to Sui, Dedaub noted that the overflow protection was misapplied. The safeguard failed to prevent the exact same kind of exploit. This oversight, compounded by the protocol’s move to a new chain, left the door wide open for attackers.

“This incident shows why edge cases in DeFi can’t be ignored,” Dedaub wrote, urging all developers to verify overflow protections manually and carefully audit smart contract logic.

Market Impact and Fallout

The exploit triggered a swift sell-off across the Sui ecosystem. Both SUI and CETUS tokens plunged over 40% in a matter of hours. Several Sui-based memecoins and lower-cap assets crashed even harder, with some losing over 90% of their value.

The Cetus team, in collaboration with the Sui Foundation, responded by coordinating with validators to freeze approximately $163 million of the stolen funds. The project has also issued a $5 million bounty for information that could lead to the identification of the attacker.

Initially, the hack was mistakenly attributed to an oracle bug. However, deeper investigation revealed the overflow flaw was the true culprit.

Lessons and Warnings for DeFi

The Cetus exploit underscores ongoing challenges in DeFi security — particularly in protocols using advanced mathematical formulas or custom AMM designs.

Overflow vulnerabilities, while technical in nature, can have catastrophic consequences if left unaddressed. The incident also highlights the importance of consistent and comprehensive auditing, especially when porting code across different blockchain environments.

As Sui continues to position itself as a next-generation smart contract platform, this breach represents a significant test of its ecosystem’s resilience. For developers and users alike, the message is clear: smart contract safety is not optional — it’s foundational.

Meanwhile, the hunt for the attacker continues, with a large portion of stolen funds still in limbo.