Cetus CLMM
HackedDeFi · ✝ 2025
A spoofed token tricked the math into minting fake liquidity.
Cetus was the leading concentrated-liquidity DEX on the Sui network. In May 2025 an attacker exploited a flaw in its liquidity math using spoofed tokens, draining roughly $223M from its pools.
- Peak
- ~$223M stolen
- Cause
- Hacked
- Year of death
- 2025
☠️ Cause of death
A spoof-token exploit abused an overflow check in the protocol's liquidity calculation, letting the attacker mint massive positions against near-zero deposits and drain the pools.
📓 Lessons left behind
- —Validate every token before it touches pricing math.
- —Overflow and bounds checks must be exhaustive, not sampled.
- —Concentrated-liquidity math is a high-value attack surface.
🌱 The idea that survived
Invariant testing
Reinforced the case for fuzzing and invariant tests on AMM math before deployment.
#defi#sui#amm#protocol-logic