Dear Sui Community,

We regret to inform you that on May 22, 2025, Cetus experienced a sophisticated smart contract exploit targeting the CLMM pools. Immediate actions were taken to mitigate the impact, and this report aims to share a transparent timeline, root cause analysis, fund status, and next steps as we move forward together.


Timeline of Events


Exploit Analysis

The attacker exploited a vulnerability in the CLMM contract stemming from a flaw in the inter_mate open-source library. Attacks were conducted in the following procedures:

a. The attacker initiated a flash_swap to temporarily suppress pool prices.

b. Opened a position at a higher price tick range.

c. Leveraged an incorrect overflow check in the add_liquidity logic to inject an artificially large liquidity value with minimal tokens.

d. Conducted multiple rounds of remove_liquidity to drain token reserves.

e. Calculate how much liquidity is left in the pool for liquidity removal and repeat the removal process