$223 Million Stolen in Cetus Protocol Hack

A vulnerability in the smart contract for liquidity pools allowed hackers to steal roughly $223 million in virtual assets from cryptocurrency exchange Cetus Protocol.

The incident occurred on May 22 and led to Cetus immediately pausing its smart contract, but not before the hackers were able to siphon both native SUI tokens and other tokens.

The attackers exploited a vulnerability in an open source library used in the liquidity provider’s smart contract, manipulated pool prices, and proceeded to drain token reserves, repeating the process several times, Cetus explains in a post-mortem report.

“By manipulating the pool’s tick and liquidity mechanisms, the attacker successfully drained a significant portion of assets across multiple iterations of the exploit,” it notes.

The hackers first swapped USDT to USDC, two stablecoins issued by Tether and Circle, respectively, then bridged to the Ethereum blockchain and converted the funds to the native asset, blockchain analytics ...