SUI Ecosystem DEX #Cetus Is Code Security Audit Really Sufficient When Attacked? The cause and impact of the attack on Cetus are not yet clear, but we can first take a look at the code security audit of Cetus. For the uninitiated, we can't understand the specific technology, but this audit summary can be understood. ➤ Certik's audit Certik's code security audit of Cetus found only 2 minor hazards that were resolved. There are also 9 informational risks, 6 resolved. Certik gave an overall rating of 83.06 and a code audit score of 96. ➤ Other audit reports from Cetus (SUI Chain) A total of 5 code audit reports are listed on Cetus' Github, excluding Certik's audit. It is estimated that the project team also knew that Certik's audit was a formality, so it did not include this report. Cetus supports both Aptos and SUI chains, and the 5 audit reports are from MoveBit, OtterSec, and Zellic, respectively. Among them, MoveBit and OtterSec audit Cetus's code on the Aptos and SUI chains, respectively, and Zellic should also audit the code on the SUI chain. Because it was Cetus on the SUI chain that was attacked this time, we will only look at the audit report of Cetus on the SUI chain below. ❚ Audit report from MoveBit The report was uploaded to Github on 2023-04-28 If we don't understand the specific content of the audit, we can find a table like this to see the number of risk issues listed in the report at each level, and how well they are resolved. MoveBi's audit report on Cetust found a total of 18 risk issues, including 1 fatal risk issue, 2 major risk issues, 3 medium risk issues, and 12 mild risk issues, all of which have been resolved. There are more problems than Certik has found, and Cetus has solved them all. ❚ Audit report from OtterSec The report was uploaded to Github on 2023-05-12 OtterSec's audit report on Cetus found a total of 1 high-risk issue, 1 medium-risk issue, and 7 informational risks, and the screenshots were not taken because the report table did not directly show the resolution of the risk issue. Among them, both high-risk and medium-risk issues have been resolved. Informational risk issues, 2 resolved, 2 fixed patches submitted, and 3 more. After a rough study, these 3 are: •The code of Sui and Aptos versions is inconsistent, which may affect the accuracy of price calculation of liquidity pools. • Lack of paused state verification, no verification of whether the liquidity pool is in a paused state at the time of swap. If the pool is suspended, it may still be possible to trade. • Convert U256 type to U64 type, if the value exceeds MAX_U64 it will cause overflow, which may lead to calculation errors in the case of large transactions. It is uncertain whether the attack is related to the above issues. ❚ Audit report from Zellic The report was uploaded to Github in April 2025 Zellic's audit report on Cetus identified three informational risks, none of which were fixed: • A function authorisation issue that allows anyone to call to deposit fees into any partner account. It doesn't seem to be risky, it's saving money, not withdrawing money. So Cetus didn't fix it for the time being. • There is a function that is still referenced by a deprecated generation, and the code is redundant, which seems to be risky, but the code is not prescriptive enough. • One of the UI rendering issues in the NFT display data could have been character-based, but Cetus used the more complex TypeName data type in the Move language. This is not a problem, and it is possible that Cetus will develop other features for NFTs in the future. Overall, Zellic found 3 ozone layer sub-issues, which are basically risk-free and belong to the code specification aspect. We have to remember these three auditors: MoveBit, OtterSec, Zellic. Because most of the auditors on the market are good at EVM audits, these three auditors belong to the Move language code auditors. ➤ Audit & Security Level (Take the new DEX as an example) First of all, projects that have not been audited by code are subject to a certain amount of Rug risk. After all, he is not even willing to pay for this audit, and it is difficult for people to believe that he has a desire to operate for a long time. Secondly, Certik audit is actually a kind of "human audit". Why is it a "human audit", Certik has a very close cooperation with coinmarketcap. On coinmarketcap's project page there is an audit icon, which clicks on it to take you to Certik's navigation platform, skynet. coinmarketcap, as a platform owned by Binance, indirectly enabled Certik to establish a partnership with Binance. In fact, Binance and Certik have always had a good relationship, so most projects that want to list on Binance will seek Certik's audit. Therefore, if a project seeks Certik's audit, it is likely to want to list on Binance. However, history has shown that the probability of an attack on a project audited only by Certik is not low, such as DEXX. There are even projects that have been FUG, such as ZKasino. Of course, Certik also has some other security help, not only code auditing, Certik will scan websites, DNS, etc., and there are some security information other than code auditing. Third, many projects will seek 1~more than one other high-quality audit entities to conduct code security audits. Fourth, in addition to professional code audits, some projects will also carry out bug bounty programs and audit competitions to brainstorm and eliminate vulnerabilities. Because this is a DEX product, let's take some newer DEXs as examples: --------------------------- ✦✦✦GMX V2 is a code audit conducted by 5 companies, including abdk, certora, dedaub, guardian, and sherlock, and launched a single bug bounty program of up to $5 million. ✦✦✦DeGate, a total of 35 companies from Secbit, Least Authority, and Trail of Bits conducted code audits, and launched a single bug bounty program of up to $1.11 million. ✦✦✦DYDX V4 is a code security audit conducted by Informal Systems, and a single bug bounty program of up to $5 million has been launched. ✦✦✦HyperLiquid conducts code security audits by HyperLiquid, and has launched a single bug bounty program of up to $1 million. ✦✦UniversalX is audited by Certik and another expert auditor (the official audit report has been temporarily removed from the shelves) ✦GMGN is special in that there is no code audit report found, only a single bug bounty program of up to $10,000. ➤ Write at the end After reviewing the code security audits of these DEXs, we can see that even DEXs like Cetus, which are jointly audited by 3 auditors, are still vulnerable to attacks. Multi-agent audits, combined with vulnerability bounty programs or audit competitions, ensure relatively secure security. However, for some new Defi protocols, there are still problems in code auditing that have not been fixed, which is why Brother Bee pays special attention to the code audit of new Defi protocols.