Summary

Following our recent publication analyzing the $260M Cetus Protocol exploit, we extended our investigation using Revela Move Decompiler and internal tooling to scan the entire Sui blockchain for similar vulnerabilities.

Our scan revealed that Kriya, Flow X, and Turbo Finance were previously exposed to the same mathematical flaw responsible for the Cetus exploit. At the time of this post, all three projects had already addressed the issue and upgraded their contracts.

This post shares our findings to raise awareness and support efforts to strengthen the overall security of the Sui ecosystem.

Background: The Cetus Exploit

On May 22, 2025, Cetus Protocol was exploited due to a faulty overflow check in a math function—specifically checked_shlw(u256)—which was used to shift a 256-bit value left by 64 bits.

The attacker leveraged this flaw to manipulate liquidity calculations and drain over $260M. This incident affected token prices and highlighted a critical gap in source-level static analysis for Sui Move smart contracts.

For a detailed breakdown of the exploit, we highly recommend reading our analysis here:
👉 Cetus Protocol $260M Exploit: Root Cause Analysis and Technical Breakdown

Vulnerabilities Scan Results

As part of our investigation into the vulnerability exploited in the recent Cetus incident, we’ve extended our analysis across the Sui ecosystem. Using our internal analysis tool, we scanned contract across Sui and have identified several other projects that were also affected by the same underlying mathematical flaw in the shared library.

Kriya

• URL: app.kriya.finance

• Contract: 0xf6c05e..

• TVL: ~$10M USD

• Status: The project has already addressed the issue and upgraded its contracts.

Flow X

• URL: flowx.finance

• Contract: 0x25929e..

• TVL: ~$4.6M USD

• Status: The project has already addressed the issue and upgraded its contracts.

Turbo Finance

• URL: app.turbos.finance

• Contract: 0x91bfbc..

• TVL: ~$10.3M USD

• Status: vulnerable function remains in the codebase, but is not currently used.

Cetus

• URL: app.cetus.zone

• Contracts:

  • 0x1eabed.. (core contract)

  • 0x714a63.. (@cetuspackages/inter-mate)

• TVL: ~$15.1M USD (post-exploit)

• Status: Fixed by deploying a new vulnerability patch commit link.

  

⚠️ Note: Above projects have since upgraded to fix the issue. This post is intended as a transparency measure and public awareness effort.

⚠️ Turbo Finance is a special case. While the vulnerable function was not actively used, it was present in the deployed contract, posing a latent risk. Any future code changes or integrations could have unknowingly activated this function. This incident is a reminder that dead code is not safe code.

Lessons and Recommendations

If you’re building on the SUI blockchain or reusing similar math libraries, we strongly urge you to:

• Review any use of low-level shift/overflow operations, especially those using checked_shlw or related functions.

• Security should always come first—thoroughly audit all code changes, maintain a well-defined and transparent security process, open-source your code, launch a bug bounty program, and engage trusted audit firms. These steps not only strengthen your protocol but also invite white-hat hackers to contribute to its protection.

• Implement clear upgrade paths for emergency patches.

• Integrate on-chain monitoring systems that track unusual liquidity movements, high-frequency function calls, and sudden drops in token value. When high volatility or abnormal behavior is detected, tool should:

  • Automatically pause affected contracts

  • Notify security teams immediately

  • Restrict contract calls or asset withdrawals until confirmed safe

Acknowledgment

We applaud the Sui team for their swift action in leveraging Revela tool to identify and alert affected projects. Their decisive response not only mitigated immediate risks but also set a strong example of responsible security coordination for the broader ecosystem.

Stay Vigilant

At Verichains, we remain committed to safeguarding Web3 ecosystems through research, tooling, and proactive threat detection.

The successful use of Revela to analyze the exploit and scan for similar vulnerabilities across the Sui ecosystem demonstrates the power of advanced decompilation tools in post-incident analysis and vulnerability detection. By enabling rapid identification of issues, even in contracts without accessible source code, tools like Revela play a critical role in strengthening security of blockchain ecosystems.

If you’re building on SUI or want to learn more about our Revela-next AI-powered Move Decompiler, internal scanning tools, or detection models, feel free to reach out.

Stay secure,

-Verichains Team