Nemo Protocol, a DeFi platform built on the Sui blockchain, has released a post‑mortem report attributing its $2.6 million exploit on Sept. 7 to unaudited code changes made by a developer and insufficient internal governance checks.

Vulnerabilities in the contract design

According to the report, the attack stemmed from two key issues:

  • An internal flash_loan function that was mistakenly exposed to the public.
  • A query function, get_sy_amount_in_for_exact_py_out, which contained flawed logic that allowed unauthorized state changes.

These features were not part of the contract version audited by security firm MoveBit late last year. Instead, they were introduced by a Nemo developer in early January 2025, then deployed without undergoing auditing.

The situation was worsened by the protocol’s reliance on a single‑signer address for upgrades, which allowed the vulnerable contract to be deployed without further oversight.

Attack process

The attacker combined the under‑secured flash loan capability with the faulty query function to manipulate prices and drain assets from Nemo’s SY/PT liquidity pool.

Analysis shows the exploit unfolded in phases:

  1. The attacker manipulated the internal state using flash loans and repeated swap functions.
  2. They minted excessive SY tokens, then repaid the loan, leaving the pool imbalanced.
  3. Arbitrageurs subsequently extracted further assets through the mispriced reward system.

Roughly $2.59 million was stolen, with funds bridged via Wormhole CCTP from Sui to Ethereum. The bulk of the stolen tokens are now consolidated in a single Ethereum address.

Missed warnings

Nemo’s report confirmed that in August 2025, security firm Asymptotic had already warned the team about a related vulnerability involving improper exchange‑rate updates. However, the issue was not prioritized for remediation, as developers focused resources on other contracts.

The team admitted that an over‑reliance on previous assurances and audits led to misjudgments.

“Despite multiple audits and safeguards, we relied too heavily on past assurances rather than maintaining uncompromising scrutiny at every step," the post‑mortem stated.

Emergency response measures

After detecting abnormal pool returns on Sept. 7, Nemo:

  • Paused protocol functions via its multisig wallet to halt the attack.
  • Patched vulnerabilities by removing the public flash loan call and correcting state‑changing query logic.
  • Submitted the corrected code for emergency audits with Asymptotic and other firms.
  • Began fund tracing with the Sui Foundation security team and outside investigators, sharing addresses for monitoring and CEX blacklisting.

Current status and next steps

The team confirmed several initiatives now underway:

  • Liquidity pool rebalancing – conducting loss‑modeling to restore SY/PT pool ratios.
  • Data restoration – repairing corrupted backend states caused by manipulated indexers.
  • Compensation plan – drafting a structured repayment and tokenomics‑level debt model to reimburse affected users.
  • Governance reforms – stricter upgrade procedures, multi‑sig enforcement, and a broader bug bounty program.

Lessons learned

Nemo acknowledged serious governance failures that allowed the exploit to occur despite having undergone prior audits:

  • Overlooking unaudited new code additions.
  • Failing to act on security warnings from Asymptotic.
  • Deploying contracts through processes that lacked multi‑party confirmation.

The protocol has pledged to enforce tighter security monitoring and maintain transparency during recovery.

About Nemo Protocol

Nemo Protocol is a yield‑infrastructure and native yield‑trading platform built on Sui, focused on tokenizing yield positions so users can trade, hedge, or leverage yield more flexibly.

SwissBorg Confirms $41M Solana Earn Exploit, Vows Full Recovery for Users | HODL FM
SwissBorg, a European crypto wealth platform, has confirmed an…
hodl-post-imageHODL FM: The Wildest Ride in the Crypto MarketMatvii Diadkov
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require adviceHODL FM strongly recommends contacting a qualified industry professional.