Cetus Hacker Incident Review: How DeFi Projects Can Avoid the Double Trap of Technical and Financial Risks

Cetus Protocol recently released a security review report on a hacker attack, sparking in-depth discussions in the industry about DeFi security issues. The report elaborates on the technical details and emergency response process, but is somewhat vague in explaining the root cause of the attack.

The report focuses on the checking errors of the checked_shlw function in the integer-mate library, qualifying it as a "semantic misunderstanding." While this statement may hold at a technical level, it seems to intentionally shift the responsibility onto external factors.

However, after a deep analysis, it was found that the success of a hacker attack requires four conditions to be met simultaneously: incorrect overflow checks, significant bit shift operations, rounding up rules, and lack of economic rationality verification. Surprisingly, Cetus has been negligent in all four key points.

This incident exposed the deficiencies of the Cetus team in the following areas:

1. Weak awareness of supply chain security: Although open-source and widely used libraries are employed, there is a failure to fully understand their security boundaries and potential risks.

2. Lack of awareness of financial risk management: Allowing unreasonable astronomical figures to be input without setting appropriate boundary limits.

3. Over-reliance on security audits: Completely outsourcing security responsibilities to audit firms, neglecting one's own risk management responsibilities.

This event reflects the systemic security shortcomings commonly found in the DeFi industry: technical teams often lack the necessary awareness of financial risks. To address this challenge, DeFi projects should:

1. Introduce financial risk control experts to fill the knowledge gaps of the technical team.
2. Establish a multi-party auditing mechanism that not only focuses on code auditing but also emphasizes economic model auditing.
3. Cultivate a "financial sense" by simulating various attack scenarios and formulating corresponding countermeasures.

As the industry develops, pure technical bugs may gradually decrease, but "awareness bugs" in business logic will become a greater challenge. Audit firms can only ensure that the code is correct, while ensuring that "logic has boundaries" requires the project team to have a deeper understanding and control over the essence of the business.

In the future, the leaders of the DeFi industry will be teams that not only have strong technical capabilities but also a deep understanding of business logic. They need to find a balance between technical expertise and financial insight to maintain a competitive edge in this rapidly evolving field.