Skip to main content
Security

Nemo Protocol Suffers $2.59 Million Exploit Due to Unaudited Code

A critical vulnerability stemming from unaudited code and single-signature deployment enabled a $2.59 million state manipulation attack on the Sui-based Nemo Protocol.
September 29, 20253 min

The image presents an abstract, high-tech structure featuring a central, translucent, twisted element adorned with silver bands, surrounded by geometric blue blocks and sleek metallic frames. This intricate design, set against a light background, suggests a complex engineered system with depth and interconnected components
A close-up view reveals a polished, metallic object, possibly a hardware wallet, partially encased within a vibrant blue, translucent framework. The entire structure is visibly covered in a layer of white frost, creating a striking contrast and suggesting extreme cold

Briefing

A recent security incident has impacted the Nemo Protocol, a yield trading platform on the Sui blockchain, resulting in a loss of approximately $2.59 million in USDC. The exploit leveraged a critical vulnerability within unaudited code deployed under single-signature control, allowing an attacker to manipulate the protocol’s state. This incident necessitated the immediate suspension of all smart contract activity to prevent further financial damage and has prompted the team to develop a patch and design a compensation plan for affected users.

The image displays a close-up of a high-tech device, featuring a prominent brushed metallic cylinder, dark matte components, and translucent blue elements that suggest internal workings and connectivity. A circular button is visible on one of the dark sections, indicating an interactive or control point within the intricate assembly

Context

Prior to this incident, the prevailing risk factors in the DeFi ecosystem included the deployment of unaudited smart contracts and the use of centralized administrative controls, such as single-signature deployment processes. The Nemo Protocol itself had a known vulnerability, identified in a preliminary report by auditor Asymptotic, which was not adequately addressed by the development team. This oversight created a significant attack surface, enabling the exploit to proceed unchecked.

This abstract visualization features a detailed, metallic sphere composed of interlocking geometric shapes and illuminated blue conduits, centered around a bright, smooth orb. The intricate design mirrors the complex architecture of decentralized protocols and the underlying infrastructure of blockchain technology

Analysis

The incident’s technical mechanics involved the compromise of Nemo Protocol’s market pool on the Sui blockchain. An unaudited function, specifically get_sy_amount_in_for_exact_py_out , was deployed without proper multisignature controls, requiring only a single developer’s signature. This flaw allowed the attacker to invoke arbitrary calls, manipulate the protocol’s state, and execute suspicious withdrawals, likely through price manipulation on its lending protocol. The attacker successfully drained approximately $2.59 million in USDC, subsequently bridging these funds from Arbitrum to Ethereum and converting them into DAI and ETH to complicate tracing and asset freezing efforts.

A vibrant blue, crystalline structure, appearing frozen and partially covered in white frost, dominates the center of the frame. A sleek, reflective blue ribbon partially encircles this frosty formation, with a single water droplet clinging to the central crystal

Parameters

  • Protocol Targeted ∞ Nemo Protocol
  • Attack Vector ∞ Unaudited Code, Single-Signature Deployment, State Manipulation
  • Financial Impact ∞ $2.59 Million
  • Affected Blockchain ∞ Sui
  • Asset Drained ∞ USDC
  • Date of Exploit ∞ September 7, 2025

A highly detailed, futuristic mechanical device with prominent blue and silver metallic components is depicted, featuring an integrated Ethereum logo at its core. This intricate machinery represents the underlying technology of blockchain networks, particularly focusing on the Ethereum protocol's architecture and its role in digital asset management

Outlook

Immediate mitigation for users involves refraining from interacting with the Nemo Protocol until full functionality and security are confirmed through official channels. This incident underscores the critical necessity for rigorous, independent smart contract audits and the implementation of robust multi-signature governance for all sensitive protocol actions, particularly code deployments. Moving forward, the industry must establish higher standards for code review and deployment procedures to prevent similar vulnerabilities from being introduced, thereby enhancing the overall security posture of DeFi protocols and mitigating contagion risk across interconnected ecosystems.

The Nemo Protocol exploit serves as a stark reminder that even identified vulnerabilities, if left unaddressed and coupled with lax deployment controls, represent an unacceptable risk to user capital and protocol integrity.

Signal Acquired from ∞ Cointelegraph

Micro Crypto News Feeds

compensation plan

Definition ∞ A Compensation Plan outlines the structure for remunerating individuals or entities for their contributions within a decentralized protocol or organization.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

state manipulation

Definition ∞ State manipulation refers to the unauthorized alteration or falsification of data recorded on a blockchain or within a decentralized application's ledger.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

asset

Definition ∞ An asset is something of value that is owned.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: