TL;DR
- Nemo Protocol confirmed that the recent $2.6 million exploit originated from unaudited code deployed by a developer earlier this year.
- The vulnerabilities included an exposed flash loan function and a query flaw that enabled state manipulation.
- The team has paused operations, issued emergency patches, and is working with Sui-based security experts to track stolen funds and design a fair compensation plan for users impacted by the breach.
Nemo Protocol, a DeFi yield platform built on Sui, has acknowledged that its recent $2.6 million exploit was the result of unaudited code introduced into its system. The incident, which occurred on September 7, exploited two critical vulnerabilities: an exposed flash loan feature and a faulty query function that allowed unauthorized state modifications. The platform’s development team emphasized that the code was intended to improve efficiency but was mistakenly deployed without thorough review, highlighting the delicate balance between innovation speed and security diligence.
Internal Decisions Sparked System Weakness
According to the project’s post-mortem, the flaws were added months after an initial audit by MoveBit. A developer integrated new features into the codebase without subjecting them to additional security checks, and these were later deployed on mainnet. The team also admitted to governance issues, pointing to the use of a single-signature upgrade system that allowed unsafe code to bypass rigorous review. These oversights demonstrate how even sophisticated DeFi protocols can be vulnerable when internal processes are not strictly enforced.
Warnings from another security firm in August regarding a related weakness were not fully addressed, further setting the stage for the breach. The attacker combined the flash loan loophole with the faulty query to drain liquidity pools, eventually transferring the funds to Ethereum through Wormhole CCTP. The team believes that public disclosure and transparent reporting will strengthen trust in the protocol while preventing similar incidents in the future.
Recovery Efforts And DeFi Resilience
In response, Nemo Protocol paused its main operations, corrected the vulnerabilities, and submitted the patched code for an emergency audit. Most of the stolen assets remain consolidated in a single Ethereum address, and tracking efforts are underway with the help of specialized security teams. A user compensation framework is also being designed, aimed at restoring confidence among its community of yield traders. Nemo also plans to implement enhanced multi-signature controls and more frequent code audits to mitigate human error risks.
Despite the exploit, Nemo emphasized that its mission to advance yield tokenization on Sui remains unchanged. The platform enables users to trade, hedge, and leverage yields more efficiently, and the team sees this event as an opportunity to implement stronger governance practices. The broader DeFi ecosystem, while still vulnerable to human error, continues to evolve with each incident, reinforcing long-term innovation and resilience across protocols.
