Cetus Hack: The Familiar ‘Lax Crypto Security Playbook’ Strikes Again

This incident ranks among the largest decentralized finance (DeFi) exploits to date and is particularly galling as according blockchain security firm Dedaub, the security vulnerability at fault was highlighted over two years ago in an earlier Ottersec security audit.

The Exploit: A Critical Overflow Vulnerability

Dedaub conducted a post-mortem analysis revealing that the attackers exploited a critical overflow flaw in Cetus Protocol’s automated market maker (AMM) logic.

Specifically, the flaw involved an improper handling of large numerical inputs, where a miswritten condition failed to correctly process the most significant bits (MSB) of these inputs. As a result, attackers were able to deposit minimal amounts of tokens while receiving disproportionately large liquidity credits, which they then used to drain substantial assets from the liquidity pools.

This vulnerability was particularly concerning because Dedaub notes that it had previously been identified during an early 2023 audit by another blockchain security firm, Ottersec, when Cetus was operating on the Aptos blockchain. Despite this, the flaw remained unaddressed, highlighting a lapse in the protocol’s security measures.

In the immediate aftermath of the breach, Cetus Protocol, in collaboration with the Sui Foundation and network validators, has done what it can to mitigate the damage. Approximately $163 million of the stolen assets were successfully frozen by Sui network validators and ecosystem partners on the same day as the hack.

Many in the community have criticized the decision to allow nodes to step in and centrally block on-chain activity.

“SUI validators are actively censoring transactions across the blockchain. This completely undermines the principles of decentralization and transforms the network into nothing more than a centralized, permissioned database,” wrote user X @ItsDave_ADA. This and many other comments on the post explaining why the freeze was conducted, have aggressively criticize it.

The incident has sparked a debate within the crypto community regarding the balance between decentralization and security. The decision by Sui network validators to freeze the stolen funds, while effective in mitigating losses, has been criticized by some as undermining the principles of decentralization. To facilitate the recovery of the remaining funds, Cetus proposed an on-chain vote to implement a protocol upgrade aimed at retrieving the frozen assets. Additionally, Cetus has offered a $5 million bounty to the hacker in exchange for the return of the stolen funds.

Cetus Hack: ‘We did everything right…’ 

While the company’s response has been quick and transparent, and their recovery efforts commendable, their post-incident release reads like a case study in the crypto industry’s recurring security challenges.

The Audit Paradox

Cetus proudly states they were “among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards.” This raises an uncomfortable question that has plagued the crypto space for years: if comprehensive auditing was in place, how did this breach occur?

The reality is that multiple audit rounds and widespread use of open-source libraries, while valuable, don’t guarantee security. Cetus admits that these measures gave them “a sense that we had done enough” – a dangerous mindset in cybersecurity where vigilance must be constant. Their acknowledgment that they “allowed ourselves to relax our vigilance” is refreshingly honest, but it highlights a pattern we’ve seen repeatedly across the industry.

A Familiar Recovery Plan

The six-point improvement plan Cetus has outlined – real-time monitoring, better risk management, enhanced test coverage, public reporting, regular audits, and expanded bug bounties – are all solid security practices. However, these aren’t revolutionary concepts. They’re foundational security measures that arguably should have been implemented from day one and turned up to 11. Cetus says “many of these measures are already in place, but we will take them further.” Too little, way too late.

The Cetus hack and the recent Coinbase security breach highlight an important problem with crypto security. That is that many, many projects, treat comprehensive security as something to be perfected over time, rather than as a prerequisite for handling hundreds of millions in user funds.

The Ecosystem Responsibility Question

Cetus’s call for ecosystem-wide collaboration on security is both reasonable and concerning. While community involvement in security is valuable, it shouldn’t serve as a substitute for robust internal security practices. The statement that “safeguarding a DeFi protocol cannot rely solely on the efforts of our team and audit partners” could be interpreted as distributing responsibility rather than taking full ownership. That’s never going to happen guys – you’re on your own.

Industry-Wide Patterns

What makes the Cetus incident particularly noteworthy isn’t its uniqueness, but rather how it fits into a broad recurring pattern. The crypto industry has seen numerous high-profile hacks followed by similar promises of improved security measures. From bridge protocols to exchanges to DeFi platforms, the cycle of breach, response, and pledged improvements has become disappointingly routine.

Moving Forward

The Cetus incident serves as another reminder that the crypto industry still has significant work to do in establishing robust security standards. While innovation moves quickly in this space, security practices often lag behind, leaving users vulnerable. The question isn’t whether Cetus will implement their promised improvements – it’s whether the industry as a whole will learn from these repeated lessons before the next major breach occurs. I doubt it will.