|
Getting your Trinity Audio player ready...
|
- A developer deployed unaudited code with critical flaws to mainnet.
- Attackers exploited the code to steal $2.6M via flash loans and price manipulation.
- Nemo plans compensation, stricter audits, and multi-sig protections to restore trust.
Stay ahead with real-time updates and insights—Join our Telegram channel!
DeFi platform Nemo Protocol, built on the Sui blockchain, has disclosed that the $2.6 million exploit it suffered on September 7 stemmed from unaudited code being deployed to mainnet. According to a report released late Wednesday, a developer added new features after the project’s initial audit, and these additions were never reviewed by any security firm before going live.
“The governance root cause was the protocol’s reliance on a single-signature address for upgrades, which failed to prevent the deployment of code that had not undergone rigorous scrutiny,” the Nemo team stated.
How the Vulnerability Was Introduced
The investigation traced the flaw back to January 2025, when security firm MoveBit completed its first audit. Soon after, a Nemo developer added two critical changes: a public flash loan function and a query function that enabled unauthorized state changes. Instead of deploying the audited version, the modified code was pushed to mainnet through a single-signature wallet.
While Nemo switched to multi-signature upgrade controls in April, the vulnerable contract was already live. In August, security firm Asymptotic warned of a related state-modification risk, but the fix was deprioritized as the team focused on its Vault product.
Exploit Details and Fund Tracing
On September 7, attackers combined the exposed flash loan and faulty query to manipulate pricing, mint excess SY tokens, and drain the SY/PT pool. Most of the stolen funds were bridged from Sui to Ethereum via Wormhole’s CCTP, with about $2.4 million still sitting in a single Ethereum wallet.
Nemo immediately paused main functions after detecting abnormal yields. The team has since removed the flash loan function, locked down all query methods to read-only, and launched an emergency audit with Asymptotic.
Also Read: Galaxy Digital Bets $40M on Solana as DeFi TVL Hits $12.35B
Path Toward Recovery
Nemo is coordinating with security firms, exchanges, and law enforcement to trace the funds and has announced a user compensation plan, potentially involving debt restructuring. The team acknowledged missteps in governance and pledged to adopt stricter procedures, including multi-sig protections, frequent audits, and a wider bug bounty program.
Calling the exploit “a painful but important lesson,” Nemo emphasized that restoring user trust will hinge on transparency and reinforced security as it works to relaunch operations.
Stay ahead with real-time updates and insights—Join our Telegram channel!
Disclaimer: The information in this article is for general purposes only and does not constitute financial advice. The author’s views are personal and may not reflect the views of Chain Affairs. Before making any investment decisions, you should always conduct your own research. Chain Affairs is not responsible for any financial losses.
I’m a crypto enthusiast with a background in finance. I’m fascinated by the potential of crypto to disrupt traditional financial systems. I’m always on the lookout for new and innovative projects in the space. I believe that crypto has the potential to create a more equitable and inclusive financial system.
