The flaw originated from a misunderstanding of the semantics of left-shift in the integer-mate open source library, which the CLMM contract is dependent on. In its checked_shlw method, the actual check should verify whether the input value is ≤ 2^192, while the function in the exploited version checks if it is ≤ 2^256, which caused error in overflow checks.

Quote

Sources

Cetus Incident Report: May 22, 2025 Attack Disclosure