On May 22, something worrying happened in a li -Blockchain world. Prices on the CETUS (DeX) suddenly decreased, and liquid pools drained. The total estimated loss was more than $ 230 million.
That is when the SlowMist team, the well -known Blockchain security team, entered, and launched an analysis of what they discovered was horrific and technical.
What is the real problem?
According to SlowMist Deep diving analysisThe essence of the problem was the weakness of the code of the CETUS smart nodes, specifically, a job called Checked_shlw that failed to discover a surplus flow in another function called Get_delta_a.
Now, what does it actually mean in simple phrases?
This error causes incorrectly calculating the quantities of the symbol. He did not realize that when the numbers became very large, so assumed that the attacker was adding a large amount of liquidity, in fact, they added only one symbol.
This attacking little defect gave an enormous opportunity.
How did the attacker take advantage of
Here is how the attacker carried out the exploitation, step by step:
Flash loan operator: The attacker borrowed more than 10 million HASUI icons using a flash loan. This step caused a decrease in the premium code in the complex by 99.9 %.
Try preparing: Then they created a very narrow liquidity place – a small window in the price range – which made the system believe that a large amount of liquidity was added.
Exploitation: Using the excess defect, they claimed that it adds trillions of liquidity, but they only presented one symbol. The contract did not hold the mismatch.
Exit: The attacker removed fake liquidity in three stages and paid the flash loan.
Huge profit: They have moved away with 10 million HSUI and 5.7 million SUI, almost without real investment.
Slow warning to defi developers
This incident explains how the small coding error can lead to huge financial losses, especially in Defi platforms where smart contracts run everything.
According to SlowMist, if you do not discover an important function like Checked_Shlw properly errors such as surplus, attackers can fully break the logic of the system.
Slowmist warns all Defi developers of checking their mathematics functions, especially in areas that involve symbolic accounts and liquidity formulas. The uninterrupted code line was all that it took to allow someone to stay away from millions.
