SlowMist releases analysis of the $230 million Cetus theft: hackers used a very small amount of tokens to exchange for huge amounts of liquid assets

SlowMist released an analysis of the theft of 230 million US dollars in Cetus. It pointed out that the core of this incident is that the attacker carefully constructed parameters to cause overflow but bypass detection, and ultimately exchange a huge amount of liquidity assets with a very small amount of tokens. The core reason is the existence of an overflow detection bypass vulnerability in the checked_shlw in the get_delta_a function. The attacker took advantage of this to cause a serious deviation in the calculation of how much haSUI needs to be added to the system. Due to the undetected overflow, the system misjudged the amount of haSUI needed, allowing the attacker to exchange a large amount of liquidity assets with very few tokens, thus achieving the attack.

This attack demonstrates the power of mathematical overflow vulnerabilities. Attackers use precise calculations to select specific parameters, exploit the flaws in the checked_shlw function, and obtain liquidity worth tens of billions at the cost of 1 token. This is an extremely precise mathematical attack, and developers are advised to rigorously verify all boundary conditions of mathematical functions in smart contract development.