The SUI ecosystem DEX #Cetus has been attacked. Is code security auditing really enough? The reasons and impacts of the attack on Cetus are still unclear, but we can first look at the code security audit situation of Cetus. As outsiders, we may not understand the specific technology, but we can comprehend this audit summary. ➤ Certik's Audit Looking at it, Certik's code security audit of Cetus found only 2 minor risks, which have been resolved. There are also 9 informational risks, 6 of which have been resolved. Certik gave an overall score of 83.06, with a code audit score of 96. ➤ Other Audit Reports of Cetus (SUI Chain) Cetus has listed a total of 5 code audit reports on its GitHub, excluding Certik's audit. It seems the project team knows that Certik's audit is merely formal, so they did not include this report. Cetus supports both Aptos and SUI chains, and these 5 audit reports come from MoveBit, OtterSec, and Zellic. MoveBit and OtterSec audited Cetus's code on the Aptos and SUI chains, respectively, while Zellic also audited the code on the SUI chain. Since the attack occurred on Cetus on the SUI chain, we will only look at the audit reports for Cetus on the SUI chain. ❚ Audit Report from MoveBit Report uploaded to GitHub on: 2023-04-28 If we cannot understand the specific audit content, we can find a table like this to see the number of risk issues listed in the report at various levels and their resolution status. MoveBit's audit report for Cetus found a total of 18 risk issues, including 1 critical risk issue, 2 major risk issues, 3 moderate risk issues, and 12 minor risk issues, all of which have been resolved. This is more than the issues found by Certik, and Cetus has resolved all these issues. ❚ Audit Report from OtterSec Report uploaded to GitHub on: 2023-05-12 OtterSec's audit report for Cetus found 1 high-risk issue, 1 moderate risk issue, and 7 informational risks. Since the report's table does not directly show the resolution status of the risk issues, I won't include a screenshot. Among them, the high-risk and moderate-risk issues have been resolved. For the informational risk issues, 2 have been resolved, 2 have submitted patches, and there are 3 remaining. After some research, these 3 are: • The inconsistency between Sui and Aptos version codes, which may affect the accuracy of liquidity pool price calculations. • Lack of pause state verification, meaning that during a swap, there is no verification of whether the liquidity pool is in a paused state. If the pool is paused, trading may still be possible. • Converting u256 type to u64 type, which can cause overflow if the value exceeds MAX_U64, potentially leading to calculation errors during large transactions. It is currently uncertain whether the attack is related to these issues. ❚ Audit Report from Zellic Report uploaded to GitHub on: April 2025 Zellic's audit report for Cetus found 3 informational risks, none of which have been fixed: • A function authorization issue that allows anyone to call and deposit fees into any partner account. This seems to pose no risk, as it is depositing money, not withdrawing it. Therefore, Cetus has not fixed this for now. • There is a function that has been deprecated but is still referenced, which is code redundancy. It seems to pose no risk, but the code is not very standardized. • A UI presentation issue in NFT display data, which could have used a character type but Cetus used a more complex TypeName data type in the Move language. This is not a significant issue and may lead to future NFT functionalities. Overall, Zellic found 3 ozone layer sub-issues, which are basically low-risk and pertain to code standardization. We should remember these three auditing firms: MoveBit, OtterSec, and Zellic. Most auditing firms in the market are skilled in EVM audits, while these three specialize in Move language code audits. ➤ Audit and Security Levels (Using New DEX as an Example) First, projects that have not undergone code audits carry a certain Rug risk. After all, if they are unwilling to spend money on audits, it is hard to believe they have long-term operational intentions. Second, Certik audits are essentially a form of "favor-based auditing." Why do I say it is "favor-based auditing"? Certik has a very close partnership with CoinMarketCap. On the project page of CoinMarketCap, there is an audit icon that leads to Certik's navigation platform, Skynet. As CoinMarketCap is a platform under Binance, it indirectly establishes a partnership between Certik and Binance. In fact, Binance and Certik have always had a good relationship, so most projects wanting to list on Binance will seek Certik's audit. Thus, if a project seeks Certik's audit, it is highly likely that they want to list on Binance. However, history has shown that projects audited solely by Certik have a high probability of being attacked, such as DEXX. Some projects have even already FUGed, like ZKasino. Of course, Certik also provides other security assistance; not only do they conduct code audits, but they also scan websites, DNS, etc., providing some security information beyond code audits. Third, many projects will seek one or more other quality auditing entities for code security audits. Fourth, in addition to professional code audits, some projects will also conduct bug bounty programs and audit competitions to gather ideas and eliminate vulnerabilities. Since the attacked product is a DEX, let's take some newer DEXs as examples: --------------------------- ✦✦✦ GMX V2, audited by 5 companies including abdk, certora, dedaub, guardian, and sherlock, and launched a single maximum bug bounty program of $5 million. ✦✦✦ DeGate, audited by 35 companies including Secbit, Least Authority, and Trail of Bits, and launched a single maximum bug bounty program of $1.11 million. ✦✦✦ DYDX V4, audited for code security by Informal Systems, and launched a single maximum bug bounty program of $5 million. ✦✦✦ hyperliquid, audited for code security by hyperliquid, and launched a single maximum bug bounty program of $1 million. ✦✦ UniversalX, audited by Certik and another expert auditing agency (the official audit report has been temporarily removed). ✦ GMGN is special; no code audit report was found, only a single maximum bug bounty program of $10,000. ➤ In Conclusion After reviewing the code security audit situations of these DEXs, we can see that even a DEX like Cetus, which has been audited by three auditing agencies, can still be attacked. Multi-entity audits, combined with bug bounty programs or audit competitions, provide relatively assured security. However, for some new DeFi protocols, there are still unresolved issues in the code audits, which is why Brother Bee is particularly concerned about the code audit situations of new DeFi protocols.