Cetus Hacker Incident Review Reveals Security Shortcomings and Improvement Directions for DeFi Projects

Cetus Protocol released a detailed security incident review report after recently experiencing a hacker attack. Although the report excels in technical details and emergency response, it seems to shy away from explaining the root cause of the attack.

The report highlights the error checking of the checked_shlw function in the integer-mate library, characterizing it as a "semantic misunderstanding". Although this description is technically correct, it seems to attempt to shift the blame to external factors, downplaying Cetus's own negligence.

However, in-depth analysis reveals that the success of a hacker attack requires the simultaneous fulfillment of four conditions: inadequate overflow checks, significant bit shifting operations, rounding up rules, and a lack of economic rationality verification. Cetus has obvious negligence in these critical points, such as accepting astronomical numbers as user input, employing high-risk significant bit shifting operations, over-trusting the checking mechanism of external libraries, and lacking necessary economic common sense checks when the system calculates an obviously unreasonable exchange ratio.

This incident revealed shortcomings of the Cetus team in the following areas:

1. Weak awareness of supply chain security: Despite using open-source and widely adopted libraries, there is insufficient understanding of the security boundaries of these libraries when managing large assets.

2. Lack of financial risk management capability: Allowing inputs that exceed actual demand by astronomical figures shows that the team lacks risk management talent with financial intuition.

3. Over-reliance on security audits: Completely outsourcing security responsibility to audit firms while ignoring the project's own security responsibilities.

This case reveals a systemic security shortcoming that is common in the DeFi industry: technical teams often lack a basic awareness of financial risks. To improve this situation, DeFi projects should:

• Introduce financial risk control experts to fill the knowledge gaps of the technical team.
• Establish a multi-party audit mechanism, including code audits and economic model audits.
• Cultivate the financial sensitivity of the team, simulate various attack scenarios and develop corresponding countermeasures.

With the development of the industry, pure technical bugs may gradually decrease, but "awareness bugs" in business logic will become a greater challenge. The success of future DeFi projects will depend on whether the team can maintain strong technical capabilities while deeply understanding business logic and effectively controlling risk boundaries.