Nemo Protocol says unaudited code deployment led to $2.6 million exploit

Sui-based DeFi platform Nemo Protocol said its $2.6 million exploit earlier this month resulted from two vulnerabilities that were introduced into the code by a developer and deployed without proper audits.

In a post-mortem report published late Wednesday night, Nemo explained that the Sept. 7 attack was caused by two issues: an internal flash loan function that was mistakenly exposed to the public, and a flaw in a query function that allowed unauthorized state changes within the contract.

According to the report, the vulnerabilities date back to January of this year. After receiving the initial audit report from blockchain security firm MoveBit, one Nemo developer introduced these new, unaudited features into the codebase. The version of the contract containing this code was then deployed to the mainnet. 

"The governance root cause was the protocol's reliance on a single-signature address for upgrades, which failed to prevent the deployment of code that had not undergone rigorous scrutiny," the report said, adding that the team failed to act on a warning from the Asymptotic security team in August regarding a separate but related vulnerability.

The attacker used the combination of the flash loan and the state-modifying query function to manipulate the internal state of the contract, draining "substantial" assets from the SY/PT liquidity pool. The stolen funds were moved from the Sui network to Ethereum via Wormhole CCTP, with the majority of the assets currently remaining in a single address.

Nemo Protocol said it has since paused its core functions, patched the vulnerabilities, and submitted the updated code for an emergency audit. The team is collaborating with security teams on Sui to trace the funds and is developing a compensation plan for affected users. 

"Despite multiple audits and safeguards, we acknowledge that we allowed ourselves to rely too heavily on past assurances, rather than maintaining uncompromising scrutiny at every step," Nemo said in the report.

Nemo Protocol is a yield infrastructure and native yield-trading platform built on Sui, designed to improve DeFi interactions. It focuses on yield tokenization, enabling users to trade, hedge, or leverage yields more efficiently.