Sui‑based yield trading platform Nemo Protocol has announced a compensation initiative for victims of its recent $2.6 million exploit, introducing a debt token program intended to eventually make all users whole.
In a Sept. 8 blog update, Nemo outlined its $NEOM token plan, tied to affected users’ USD‑denominated losses based on an on‑chain snapshot.
Exploit stemmed from code vulnerabilities
The incident, which occurred September 7, was first flagged by security firm PeckShield, which detected unauthorized outflows from Nemo’s SY/PT liquidity pools.
In its official post‑mortem published Friday, Nemo confirmed that the breach exploited two unvetted pieces of code introduced by a developer:
- an internal flash loan function mistakenly left public, and
- a query function vulnerability that allowed unauthorized state changes.
The team admitted that governance weakness, namely reliance on a single‑signature address for upgrades, permitted the flawed code to be pushed live without audit. MoveBit’s earlier audits (Jan. 2023) did not cover these late additions; separate warnings from Asymptotic (Aug. 2024) were also not acted upon in time.
As many of you know, Nemo Protocol suffered a security incident on Sept 8. Today we are releasing our full incident report to provide transparency into our response, including the root cause, learnings, and next steps. We sincerely apologize for the impact on @Movebit and for the… pic.twitter.com/ROml1aUNUv
— Nemo (@nemoprotocol) September 11, 2025
“The vulnerabilities were introduced into the contract after the audit and deployed without proper process. We accept responsibility for failing to stop this change,” Nemo’s team wrote.
NEOM token compensation structure
The platform’s recovery plan will issue 1 NEOM token per $1 of confirmed user loss. Distribution and usage will follow a three‑step structure:
- Migration: Users move residual assets into secured, multi‑audited contracts.
- Issuance: Users claim NEOM tokens based on their snapshot losses.
- Liquidity: NEOM will trade in a USDC/NEOM pool on a major Sui DEX, enabling exits or a wait‑and‑redeem approach.
Nemo stated that any recovered exploit funds will be placed in a multi‑party redemption pool for proportional NEOM holder claims. Additional external loans or investor capital will also top up this pool.
To ensure transparency, the team said it will launch a dedicated website to track NEOM burn and redemption progress in real time.
Security context and team admission
The team acknowledged shortcomings in its governance and deployment pipeline.
“Despite multiple audits, our reliance on unilateral code pushes and insufficient oversight allowed unsafe changes to go live. We are restructuring to enforce multi‑party governance and independent reviews before any deployment,” Nemo executives wrote.
PeckShield added in a Sept. 7 alert that “funds were bridged from Sui to Ethereum using Wormhole CCTP, with the main portion still visible in a monitored wallet.”
Path forward
While Nemo insists affected users will eventually be compensated, timelines depend on asset recovery, external capital injection, and market confidence in NEOM’s price.
Some DeFi observers noted the approach is similar to “debt token” compensation models adopted after earlier exploits in Terra or Cream Finance, where user patience and third‑party recovery efforts determine the ultimate outcome.
The team’s immediate changes include:
- Moving contracts to multi‑signature governance.
- Engaging white‑hat recovery negotiations and bounties.
- Commissioning new external audits before relaunch.
Industry view
Commenting on the case, a MoveBit audit analyst said:
“Audits are only as reliable as the governance process that follows. Nemo’s vulnerability was introduced after the original report — this underlines why continuous auditing and strict upgrade controls are critical.”
Security researchers warn that if NEOM trades significantly below $1, confidence in debt token recoveries could falter. Conversely, successful fund recovery could drive gradual parity redemption.
Outlook
With network activity on Sui under a spotlight, Nemo’s ability to rebuild user trust will be a test case for DeFi projects launching on emerging chains. Investors now face a decision: exit NEOM early via liquidity pools or hold long‑term in hopes of full redemption.
Anastasiia G
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
