Dear Sui Community,
We regret to inform you that on May 22, 2025, Cetus experienced a sophisticated smart contract exploit targeting the CLMM pools. Immediate actions were taken to mitigate the impact, and this report aims to share a transparent timeline, root cause analysis, fund status, and next steps as we move forward together.
The attacker exploited a vulnerability in the CLMM contract stemming from a flaw in the inter_mate
open-source library. Attacks were conducted in the following procedures:
a. The attacker initiated a flash_swap
to temporarily suppress pool prices.
b. Opened a position at a higher price tick range.
c. Leveraged an incorrect overflow check in the add_liquidity
logic to inject an artificially large liquidity value with minimal tokens.
d. Conducted multiple rounds of remove_liquidity
to drain token reserves.
e. Calculate how much liquidity is left in the pool for liquidity removal and repeat the removal process