Security

Nemo Protocol Suffers $2.59 Million Exploit Due to Unaudited Code

A critical vulnerability stemming from unaudited code and single-signature deployment enabled a $2.59 million state manipulation attack on the Sui-based Nemo Protocol.
September 29, 20253 min

A translucent, dark blue toroidal object, filled with glowing blue bubble-like structures, features a prominent metallic mechanism with a silver tip on its side, set against a plain grey background. This intricate 3D render visually represents a complex decentralized autonomous organization DAO or a Layer 2 scaling solution within the blockchain ecosystem
The image displays an abstract, futuristic mechanism composed of translucent blue and metallic gray components. Intricate structures feature numerous small, interconnected blue elements embedded within a robust, engineered framework

Briefing

A recent security incident has impacted the Nemo Protocol, a yield trading platform on the Sui blockchain, resulting in a loss of approximately $2.59 million in USDC. The exploit leveraged a critical vulnerability within unaudited code deployed under single-signature control, allowing an attacker to manipulate the protocol’s state. This incident necessitated the immediate suspension of all smart contract activity to prevent further financial damage and has prompted the team to develop a patch and design a compensation plan for affected users.

A translucent blue spherical module, intricately detailed with numerous metallic ports, is partially encased within a sleek, silver-colored metallic structure. The sphere's internal granular elements suggest complex data processing

Context

Prior to this incident, the prevailing risk factors in the DeFi ecosystem included the deployment of unaudited smart contracts and the use of centralized administrative controls, such as single-signature deployment processes. The Nemo Protocol itself had a known vulnerability, identified in a preliminary report by auditor Asymptotic, which was not adequately addressed by the development team. This oversight created a significant attack surface, enabling the exploit to proceed unchecked.

A vibrant blue, crystalline structure, appearing frozen and partially covered in white frost, dominates the center of the frame. A sleek, reflective blue ribbon partially encircles this frosty formation, with a single water droplet clinging to the central crystal

Analysis

The incident’s technical mechanics involved the compromise of Nemo Protocol’s market pool on the Sui blockchain. An unaudited function, specifically get_sy_amount_in_for_exact_py_out , was deployed without proper multisignature controls, requiring only a single developer’s signature. This flaw allowed the attacker to invoke arbitrary calls, manipulate the protocol’s state, and execute suspicious withdrawals, likely through price manipulation on its lending protocol. The attacker successfully drained approximately $2.59 million in USDC, subsequently bridging these funds from Arbitrum to Ethereum and converting them into DAI and ETH to complicate tracing and asset freezing efforts.

A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky

Parameters

  • Protocol Targeted → Nemo Protocol
  • Attack Vector → Unaudited Code, Single-Signature Deployment, State Manipulation
  • Financial Impact → $2.59 Million
  • Affected Blockchain → Sui
  • Asset Drained → USDC
  • Date of Exploit → September 7, 2025

A complex, star-shaped metallic mechanism, featuring four radial arms with circular terminals, sits at the center of a luminous blue, segmented ring. Delicate, web-like frosty structures cling to the metallic components and translucent blue elements, suggesting an advanced state or intricate interconnections within a sophisticated system

Outlook

Immediate mitigation for users involves refraining from interacting with the Nemo Protocol until full functionality and security are confirmed through official channels. This incident underscores the critical necessity for rigorous, independent smart contract audits and the implementation of robust multi-signature governance for all sensitive protocol actions, particularly code deployments. Moving forward, the industry must establish higher standards for code review and deployment procedures to prevent similar vulnerabilities from being introduced, thereby enhancing the overall security posture of DeFi protocols and mitigating contagion risk across interconnected ecosystems.

The Nemo Protocol exploit serves as a stark reminder that even identified vulnerabilities, if left unaddressed and coupled with lax deployment controls, represent an unacceptable risk to user capital and protocol integrity.

Signal Acquired from → Cointelegraph

Micro Crypto News Feeds

compensation plan

Definition ∞ A Compensation Plan outlines the structure for remunerating individuals or entities for their contributions within a decentralized protocol or organization.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

state manipulation

Definition ∞ State manipulation refers to the unauthorized alteration or falsification of data recorded on a blockchain or within a decentralized application's ledger.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

asset

Definition ∞ An asset is something of value that is owned.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: