Nemo Protocol Suffers $2.59 Million Loss After Ignoring Auditor’s Security Warning
On September 7, the Sui-based yield trading protocol Nemo fell victim to a $2.59 million exploit resulting from a known vulnerability in unaudited code deployed on its platform. The project’s post-mortem revealed that the flaw originated in a function designed to minimize slippage, which was implemented without undergoing a formal security audit.
Known Vulnerability Overlooked Despite Auditor’s Alert
The compromised function, named “get_sy_amount_in_for_exact_py_out,” was pushed onchain without review by smart contract auditor Asymptotic. Notably, Asymptotic had identified this vulnerability in a preliminary report and alerted Nemo. However, the development team admitted that it “did not adequately address this security concern in a timely manner.”
The deployment process lacked sufficient safeguards, requiring only a single signature to implement new code. This allowed the developer to introduce unaudited changes without disclosing them publicly. Additionally, the audit’s recommended confirmation hash was not utilized during deployment, violating established procedures.
Delayed Security Measures and Persistent Risk
The vulnerable code was initially deployed in early January. Although Nemo introduced an upgraded deployment procedure with stricter controls in April, this came too late to prevent the flawed code from entering the production environment. Asymptotic’s warning on August 11 went unheeded as the team prioritized other matters, leaving the protocol exposed until the exploit occurred.
Response and Remediation Efforts Underway
In response to the breach, Nemo has paused its core protocol functions to mitigate further losses. The team is collaborating with multiple security firms and has shared relevant addresses with exchanges to assist in freezing illicitly moved assets.
A patch addressing the vulnerability has been developed and is undergoing audit by Asymptotic. The update removes the protocol’s flash loan feature, corrects the flawed code, and introduces a manual-reset mechanism to restore compromised values. Furthermore, Nemo is crafting a compensation plan for affected users, which includes debt restructuring considerations at the tokenomics level.
“The core team is formulating a detailed user compensation plan, including a debt-structuring design at the tokenomics level,” Nemo stated.
Lessons and Commitment to Improved Security
Nemo has issued an apology to its user base, acknowledging that “security and risk management demand constant vigilance.” The team pledged to enhance its defensive measures and enforce stricter control over protocol upgrades going forward.
This incident follows a pattern of preventable crypto exploits, such as the July breach of NFT platform SuperRare, which lost $730,000 due to a basic smart contract bug that could have been avoided through standard testing.
FinOracleAI — Market View
The $2.59 million hack at Nemo highlights ongoing vulnerabilities in crypto protocol governance, especially where unaudited code is deployed without adequate multisignature controls. The market may react negatively to this news given the loss and the team’s delayed response to security warnings, which could undermine investor confidence. However, Nemo’s proactive steps to pause operations, implement patches, and design compensation strategies may help restore trust over time. Investors should monitor the effectiveness of the new security measures and compensation plan rollout as key indicators of the protocol’s recovery trajectory.
Impact: negative
