Cetus Attack Triggers Reflection on Code Security Audit

Recently, the decentralized exchange Cetus in the Sui ecosystem was attacked, sparking heated discussions within the industry regarding the effectiveness of code security audits. The reasons and impacts of the attack are still unclear, but we can first review the code security audit situation of Cetus.

A well-known security audit agency's audit results for Cetus show that only 2 minor risks were found and resolved, and out of 9 informational risks, 6 have been resolved. The agency gave a comprehensive score of 83.06, with a code audit score as high as 96.

However, the five code audit reports released by Cetus's official sources do not include the audit results from the aforementioned organizations. These five reports come from three professional institutions: MoveBit, OtterSec, and Zellic, covering Cetus's code on the Aptos and Sui chains. Given that this attack occurred on the Sui chain, we focus on the audit reports related to the Sui chain.

The audit report of MoveBit was uploaded to Github on April 28, 2023. The report identified a total of 18 risk issues, including 1 critical risk, 2 major risks, 3 moderate risks, and 12 minor risks. It is worth noting that all these issues have been resolved.

The audit report from OtterSec was uploaded on May 12, 2023. The report identified 1 high-risk issue, 1 moderate-risk issue, and 7 informational risks. The high-risk and moderate-risk issues have been resolved, 2 of the informational risks have been resolved, 2 have patches submitted for fixing, and the remaining 3 involve issues related to the consistency of Sui and Aptos version codes, pause state validation, and data type conversion.

The audit report of Zellic was uploaded in April 2023. The report identified three informational risks, which have not yet been addressed. These risks mainly involve function authorization, code redundancy, and the selection of data types for NFT display, with an overall low risk level.

It is worth mentioning that MoveBit, OtterSec, and Zellic are all institutions specializing in auditing Move language code, which is particularly important in the current market dominated by EVM audits.

Looking back at the security measures of some emerging DEX projects recently, we can observe some trends:

1. GMX V2 has undergone code audits by 5 companies and launched a vulnerability bounty program of up to 5 million dollars.

2. DeGate has hired 35 companies for auditing, with a maximum bug bounty of up to $1.11 million.

3. DYDX V4 was audited by Informal Systems and also established a $5 million bug bounty program.

4. Hyperliquid offers a $1 million bug bounty based on self-audit.

5. UniversalX has chosen two well-known institutions for auditing.

6. Although GMGN has not published an audit report, it has established a bug bounty program with a maximum reward of $10,000 per issue.

In summary, even projects like Cetus that have undergone audits by multiple institutions may still be vulnerable to attacks. Multiple audits combined with vulnerability bounty programs or audit competitions can enhance project security to some extent. However, for emerging DeFi protocols, unresolved audit issues still deserve attention. This also explains why industry experts pay particular attention to the code audit status of new protocols.