Nemo Protocol Suffers $2.59 Million Loss Due to Security Flaw
A yield trading protocol based on Sui, Nemo, has reported a loss of around $2.59 million as a result of a known vulnerability caused by deploying non-audited code, according to the project.
In Nemo’s post-mortem analysis regarding the hack that occurred on September 7, a flaw in a function aimed at reducing slippage was identified, which allowed the attacker to alter the protocol’s state. This function, called “get_sy_amount_in_for_exact_py_out,” was activated on-chain without undergoing an audit by the smart contract auditor Asymptotic.
Moreover, the Asymptotic team spotted this issue in an initial report. However, the team at Nemo acknowledges that they “did not adequately address this security concern in a timely manner.”
The deployment of new code only needed a signature from a single address, which enabled the developer to implement unaudited code on-chain without revealing the changes. Additionally, the confirmation hash that was part of the audit procedure was not utilized during the deployment, violating the established protocol.
This isn’t the first time a hack has been revealed as easily preventable. Following a similar trend, NFT trading platform SuperRare experienced a $730,000 exploit in late July due to a fundamental smart contract error that experts assert could have been prevented through standard testing practices.
The vulnerable code was integrated on-chain in early January, while the upgrade procedure that might have impeded the deployment of the unaudited code was only initiated in April.
Despite the upgrade, the vulnerability had already been introduced to the production environment. Asymptotic issued a warning to Nemo regarding the vulnerability on August 11; however, the project stated it was focused on other matters and did not address the issue prior to the exploit.
As per the analysis, Nemo’s core protocol functions are now paused to prevent any additional losses. The team is working with several security teams and is sharing all relevant addresses to help freeze assets on centralized exchanges.
More Read
A patch has since been created, and Asymptotic is currently auditing the updated code. The project has reported that it has removed its flash loan function, rectified the vulnerable code, and added a manual-reset feature to restore affected values. Nemo is also formulating a compensation plan for users, which includes debt structuring at the tokenomics level.
Nemo has extended its apologies to its users and asserts that it has learned that “security and risk management demand constant vigilance.” The team has pledged to enhance its defenses and implement stricter protocol control moving forward.
