Cetus Protocol: Integer Overflow / Division-by-Near-Zero in Concentrated Liquidity Math
An attacker deposited a single token into a DEX pool with a near-zero denominator in its liquidity formula, generating 10³⁴ units of fake liquidity, and drained $223M from every pool on Sui's largest exchange.
Summary #
Cetus Protocol suffered a DEX / AMM (Concentrated Liquidity) on 2025-05-22, resulting in a loss of approximately $223M.
What happened #
An attacker deposited a single token into a DEX pool with a near-zero denominator in its liquidity formula, generating 10³⁴ units of fake liquidity, and drained $223M from every pool on Sui's largest exchange.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited** — Zellic explicitly stated the `integer-mate` library was out of scope for their April 2025 audit. MoveIT and Otter audited 2 ye...]
- RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N + detail): YES** — HODLFM flagged USDC depegging to zero on Sui and mass SUI token dumps within minutes of pools being drained. The sequential drain ac...] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability Reasoning: Each individual exploit was atomic (single tx). However, the sequential nature (every Cetus pool drained one after another) and the immediat...]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N + detail): YES** — Token prices crashed 75–80% on Sui during the exploit. Meme coins died first. Price oracle feeds from Cetus pools would have shown i...]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N + detail): YES** — Flash loan of 56,700 SUI at exploit initiation. Repeated flash loans for each subsequent pool.]