Nemo Protocol Loses $2.6M After Developer Deploys Unaudited Smart Contract

Highlights:

• A single developer deployed unaudited code that enabled the $2.6M exploit on Nemo Protocol.
• The flash loan and query vulnerabilities were introduced after the audit.
• The funds were bridged to Ethereum, with $2.4M still in a hacker’s wallet.

On Sept. 8, attackers exploited two smart contract flaws in Nemo Protocol, draining $2.6 million from the funds of users. According to the post-mortem report, the cause of the incident was due to an unaudited rogue developer injecting unaudited features into the mainnet codebase. These features included a flash loan function mistakenly set as public and a query method with the ability to perform unauthorized state changes.

The vulnerabilities gave hackers the ability to mint additional SY tokens and manipulate pool prices, ultimately draining liquidity. Within minutes, the attackers were able to bridge assets stolen from the Sui network to Ethereum using Wormhole’s CCTP bridge. Around $2.4 million is still held in one Ethereum wallet associated with the exploit.

As many of you know, Nemo Protocol suffered a security incident on Sept 8. Today we are releasing our full incident report to provide transparency into our response, including the root cause, learnings, and next steps. We sincerely apologize for the impact on @Movebit and for the… pic.twitter.com/ROml1aUNUv

— Nemo (@nemoprotocol) September 11, 2025

Governance Gaps and Unapproved Code in Nemo Protocol

The root of the incident goes back to January 2025. After receiving an initial audit from MoveBit, a developer merged previously audited fixes with new and unverified features. These new elements, however, were never disclosed through the audit process. The developer deployed the modified version with a single-signature address, a governance structure without safeguards for internal approval.

By skipping the peer review process, the developer contributed live vulnerabilities to the mainnet of the Nemo Protocol. This unauthorized contract continued to exist despite the project’s transition to a multi-signature upgrade model in April. Moreover, internal monitoring failed to detect the differences between the audited and deployed versions of the code.

Further warnings came in August when a related flaw was flagged by security firm Asymptotic. Despite the available support, the developer ignored the alert and did not make any changes. This failure to act contributed directly to the successful conduct of the attack of September.

Exploit Execution, Response, and Recovery

The exploit commenced at 16:00 UTC on September 8. Attackers used the exposed flash loan function in conjunction with the faulty method of the query to manipulate the contract behavior. These changes consequently enabled the generation of false yield situations and enabled excessive token minting. Arbitrageurs drained the SY/PT pool still further before the team froze core functions.

#PeckShieldAlert @nemoprotocol on @SuiNetwork has been exploited for $2.4M

The hacker bridged $USDC via Circle from Arbitrum to Ethereum. pic.twitter.com/QSB0ec7TZy

— PeckShieldAlert (@PeckShieldAlert) September 8, 2025

Unusual returns in YT pools of more than 30x alerted the Nemo team within 30 minutes. Immediate action followed, including halting protocol operations, patching the code and launching emergency audits. The team also contacted centralized exchanges to aid in the tracing and potential freezing of stolen assets.

To compensate for user losses, Nemo Protocol is working on a compensation plan to structure debt. It includes tokenomic adjustments that will be shared with the community prior to release. Meanwhile, monitoring systems have been upgraded, while security partnerships have been expanded across the Sui ecosystem.

The team stressed that future upgrades will only go through multi-signature wallets and audit checkpoints will be more rigorous. In addition, a white-hat bounty program has been implemented to aid further recovery and decrease risks in the future.