DeFi platform Nemo Protocol, built on the Sui blockchain, has disclosed that a $2.6 million exploit earlier this month stemmed from unaudited code being deployed to the mainnet. The team admitted that a developer introduced new features after an initial audit, which were never reviewed by security firms before going live.
In a report released late Wednesday, Nemo said: “The governance root cause was the protocol’s reliance on a single-signature address for upgrades, which failed to prevent the deployment of code that had not undergone rigorous scrutiny.”
How the Flaw Was Introduced
The report traced the issue back to January 2025. After security firm MoveBit completed its first audit, a developer added two new elements: a flash loan function that was mistakenly public, and a query function that allowed unauthorized state changes.
Instead of deploying the audited version, the developer pushed this altered code to mainnet via a single-signature wallet. Nemo later moved to multi-signature upgrades in April, but by then the vulnerable contract was already active.
Warnings came again in August, when security firm Asymptotic flagged a related state-modification risk. The problem, however, was left unresolved as priority shifted to Nemo’s Vault product.
Exploit and Fund Tracing
On September 7, attackers took advantage of the two flaws. They used the exposed flash loan function along with the faulty query to distort pricing, mint extra SY tokens, and empty funds from the SY/PT pool.
The majority of stolen funds were bridged from Sui to Ethereum via Wormhole’s CCTP. Around $2.4 million remains in a single Ethereum wallet. Secondary arbitrageurs also took advantage of the manipulated pool to extract additional rewards.
Protocol Response
Nemo quickly stopped its main functions after spotting unusual yield jumps. The team has since patched the flaws, removed the flash loan function, and locked down all query methods to read-only. An emergency audit is underway with Asymptotic.
“Despite multiple audits and safeguards, we acknowledge that we allowed ourselves to rely too heavily on past assurances, rather than maintaining uncompromising scrutiny at every step,” Nemo said.
The protocol is working with security firms, exchanges, and law enforcement to trace funds. A user compensation plan, including possible debt restructuring, is being prepared.
Moving Forward
Nemo called the incident “a painful but important lesson” and pledged to tighten upgrade procedures with multi-sig protections, stricter audit checkpoints, and a broader bug bounty program.
The team said restoring trust will depend on transparency and security improvements as it continues to work on relaunching operations.
Also Read: BubbleMaps Flags $170M MYX Airdrop Exploit Via Sybil Attack
