Nemo protocol $2.6m exploit caused by developer’s unaudited code

Nemo protocol published a post-mortem report on the exploit that led to the protocol losing $2.59 million. The report revealed that the exploit was caused by a developer’s code that was unaudited by the MoveBit team.

Nemo protocol suffered an exploit on September 7 that resulted in the Total Value Locked plummeting from over $6 million to just around $1.5 million. Around $2.4 million had been stolen from Sui (SUI)-based DeFi yield platform protocol in the attack.

Three days later, the platform came back with a post-mortem report that explains what really led to the exploit.

“Today we are releasing our full incident report to provide transparency into our response, including the root cause, learnings, and next steps,” wrote the protocol in a recent post.

According to the report, an unnamed developer unveiled new features without audit approval and proceeded to deploy them. The developer failed to inform the MoveBit auditors that it was a new addition that got mixed into the old audited fixes.

From this weakness, the attacker took advantage of two main elements. First, a flash loan function that was mistakenly left public instead of private. Second, a flawed pricing function that could change internal contract data even though it was supposed to only read data.

These two system flaws combined allowed the hacker to drain assets from Nemo’s liquidity pool. The stolen funds were later bridged to Ethereum (ETH) through Wormhole CCTP, with $2.4 million currently held in the hacker’s active wallet.

How did the Nemo protocol exploit occur?

When the attack happened, the hacker exploited the system’s vulnerabilities to borrow, swap, and mint tokens in a way that manipulated prices and drained the pool. The Nemo team noticed unusual yields that displayed over 30x returns within the first 30 minutes and paused the protocol through a multi-signature wallet.

At this point, most of the stolen funds had already been moved off-chain.

In response, Nemo took steps to patch the vulnerabilities. The flash loan function was removed, and the pricing tool was corrected so that it cannot alter internal data. The team also fixed another related bug that could affect exchange rates. Emergency audits are underway, and the protocol has promised to bring in multiple security firms for independent reviews of the updated code.

In addition, Nemo protocol plans to reset corrupted on-chain data and rebalance their liquidity pools so the protocol can operate normally again.

What are the next steps?

According to the post-mortem report, Nemo is preparing a compensation plan for affected users. The team is also working with exchanges, security firms, and law enforcement to track the stolen assets and prevent the hacker from liquidating the funds.

Nemo is also looking at long-term changes to improve security. These include stricter controls for upgrades, more robust audits, broader bug bounty programs, and a higher focus on transparency.

For the future, the team is committed to building stronger security practices, better accountability, and closer communication with users in order to re-establish trust and resilience.