DeFi Under Fire: How a Math Error in CETUS Protocol Led to a Massive Exploit.
DeFi Under Fire: How a Math Error in CETUS Protocol Led to a Massive Exploit.
It is no brainer that where is money, malicious actors will also be there, eyeing the money and trying to seize every opportunity that will help them to deploy their attack vectors to drain the funds. Sometimes phishing is used to lure the user, or in the latest case, hackers are using zero zero-value fund transfer scheme to attack the users. In this case, a little caution by the user will be able to safeguard their funds. But what will happen if the code guarding the fund is itself flawed? Contracts/Code that are now the actual custodian or are supposed to safeguard your funds are the actual weakest link in the safety of your funds.
What exactly is CETUS protocol?
Cetus Protocol is a decentralized finance platform on the SUI blockchain platform. On May 22, the platform was hacked for approximately $223 million in funds. This hack caused the draining of the liquidity platform and few of the memecoins in the SUI blockchain, like AXOL, almost lost their values.
How does the CETUS hack become possible?
Blockchain security firm Dedaub has analyzed to get the root cause of the hack. According to their analysis "overflow" in the mathematical calculation caused this issue.
The attacker exploited a vulnerability that truncates the most significant bits in a liquidity calculation function of Cetus AMM. This calculation is invoked when a user opens an LP position. When opening such position, a user can open a large or small position by specifying a “liquidity” parameter (what fraction of the pool you would like to get in return), and supplying the corresponding amount of tokens. By manipulating the liquidity parameter to an extremely high value, they caused an overflow in the intermediate calculations that went undetected due to a flawed truncation check. This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token.
They have done a very detailed report explaining the mathematical functions, and the exact line of code that caused the issue. If you are really interested in reading all of this, then you should read this detailed report here
How the crypto community got divided after the hack.
SUI blockchain network validators froze the $160 million funds in the attacker's wallets. Since they can freeze the fund, the crypto community is now doubting the decentralization of the SUI platform. If they can freeze the fund, then it is a "centralized" network under the disguise of the "Decentralization".
My 2 cents.
With all the risks and hacks involved in Defi, I am not a big fan of Defi currently. I already outlined the risks in Defi in my earlier posts. With CETUS hack, my fear also came true. I wish that the developer would understand that their code is responsible for the safeguarding the funds of the millions of users. Due to the narrative of crypto in social media that promotes crypto as 100x or 1000x money making scheme overnight, many users put their substantial savings sometime. I wish in this this did not happened.
In the end, I will just say invest in a platform by calculating the risks and rewards, and developers and auditors should perform their job more responsibly.
Posted Using INLEO
!LOLZ
!PIZZA
!BEER
@osiriss, sorry! You need more to stake more $PIZZA to use this command.
The minimum requirement is 20.0 PIZZA staked.
More $PIZZA is available from Hive-Engine or Tribaldex
The hacks suck and the freezing of funds will obviously cause issues. I wonder how things will go because security and hacks will be fighting against each other all the time.
More we rely on Code, more better we need to Code. look like, defi development will need time to mature enough to put robust code.
!PIZZA !LOL
lolztoken.com
They both measure wait.
Credit: reddit
@jfang003, I sent you an $LOLZ on behalf of r1s2g3
(1/10)
Farm LOLZ tokens when you Delegate Hive or Hive Tokens.
Click to delegate: 10 - 20 - 50 - 100 HP
This post has been manually curated by @bhattg from Indiaunited community. Join us on our Discord Server.
Do you know that you can earn a passive income by delegating to @indiaunited. We share more than 100 % of the curation rewards with the delegators in the form of IUC tokens. HP delegators and IUC token holders also get upto 20% additional vote weight.
Here are some handy links for delegations: 100HP, 250HP, 500HP, 1000HP.
100% of the rewards from this comment goes to the curator for their manual curation efforts. Please encourage the curator @bhattg by upvoting this comment and support the community by voting the posts made by @indiaunited..
This post received an extra 6.95% vote for delegating HP / holding IUC tokens.
Thanks for curation.
This post has been manually curated by @bhattg from Indiaunited community. Join us on our Discord Server.
Do you know that you can earn a passive income by delegating your Leo power to @india-leo account? We share 100 % of the curation rewards with the delegators.
100% of the rewards from this comment goes to the curator for their manual curation efforts. Please encourage the curator @bhattg by upvoting this comment and support the community by voting the posts made by @indiaunited.
thanks for curation.
$PIZZA slices delivered:
@r1s2g3(2/10) tipped @jfang003
Come get MOONed!
Hello,
this Comment has been upvoted with 100%, thanks to @r1s2g3 who burned 1000 PLANET
With this burn @r1s2g3 is actively participating in the CLEAN PLANET reward protocol.
@r1s2g3 is helping @cleanplanet to grow with the curation.
Thanks for your help
@cleanplanet