Dear Sui Community,

We regret to inform you that on May 22, 2025, Cetus experienced a sophisticated smart contract exploit targeting the CLMM pools. Immediate actions were taken to mitigate the impact, and this report aims to share a transparent timeline, root cause analysis, fund status, and next steps as we move forward together.

Timeline of Events

• 10:30:50 UTC – Exploit begins via abnormal transactions.
• 10:40:00 UTC – Anomaly detected in pool behavior by monitoring systems.
• 10:53:00 UTC – Attack source identified by the Cetus team and escalated to Sui ecosystem members.
• 10:57:47 UTC – Core CLMM pools were disabled to prevent further loss.
• 11:20:00 UTC – All relevant smart contracts were globally disabled.
• 12:50:00 UTC – Sui Validators started voting on refusing to serve transactions signed by attacker’s addresses and after the amount of votes crossed 33% of the stake threshold, validators effectively “froze” those addresses.
• 18:04:07 UTC – On-chain negotiation message sent to the attacker.
• 18:15:28 UTC – Vulnerable contract patched and upgraded (not yet restarted).

Exploit Analysis

The attacker exploited a vulnerability in the CLMM contract stemming from a flaw in the inter_mate open-source library. Attacks were conducted in the following procedures:

a. The attacker initiated a flash_swap to temporarily suppress pool prices.

b. Opened a position at a higher price tick range.

c. Leveraged an incorrect overflow check in the add_liquidity logic to inject an artificially large liquidity value with minimal tokens.

d. Conducted multiple rounds of remove_liquidity to drain token reserves.

e. Calculate how much liquidity is left in the pool for liquidity removal and repeat the removal process