Cetus DEX Overflow Hack: $223M Lost to Unchecked Arithmetic
A comprehensive look at the Cetus DEX exploit—how hard arithmetic limits were bypassed and the decisive system changes rolled out afterward.
Cetus DEX Overflow: The Dangers of Arithmetic Limits
How Overflow Led to Mega-Losses
The $223 million Cetus DEX hack on Sui revealed the catastrophic downside to insufficient numeric boundary checks in DeFi. The protocol’s automatic market maker failed to cap the input parameters for liquidity and swap functions—meaning attackers could pass arbitrarily large values to critical arithmetic operations. These values triggered integer overflows that let the attacker artificially inflate pool liquidity, then drain correlated reserves via “phantom” entries that shouldn’t have been possible if basic numeric guards were in place.
The hack played out over several trading cycles. Attackers initiated with immense, obviously invalid deposits, which reset internal contract state and liquidity accounting. This manipulated pool balances, so subsequent swaps allowed abnormal withdrawals of real assets for fake liquidity. Audit logs showed these flaws had existed since launch, as automated test coverage in smart contract CI pipelines hadn’t simulated extreme edge-case parameter ranges.
Forging True Contract Safety Going Forward
After the event, all swap and liquidity contracts on Cetus (and many other Sui protocols) were hot-patched to use extensive input validation, capped parameters, and precondition assertions to ensure no arithmetic operation could ever overflow. The codebase now includes runtime checks for every major arithmetic computation. Protocol governance also instituted external, independent audit requirements for all future major upgrades, and contracts are subjected to fuzz testing with automatically generated adversarial parameters before every deployment.
Importantly, the hack also led Sui core developers to release a chain-wide upgrade: all chain-integrated protocols must flag and halt any contract returning results outside normal parameter distribution. As a result, chain-level security and individual app-layer resilience have risen together. The Cetus exploit thus serves as a lasting warning that even in “safe” code, arithmetic can be a silent destroyer—unless every computation has a hard guardrail, edge-case attackers will eventually find and break it.
.png&w=3840&q=75)
