Nemo Protocol Exploit: Unvetted Code Lost Nemo $2.6M.

Nemo Protocol revealed a $2.6 million exploit because of the deployment of code without an audit. The attack has raised fundamental flaws, which have raised security alarms in DeFi.

Nemo Protocol also recently reported a security breach of $2.6 million caused by unaudited code used by one of their internal developers earlier this year. 

The decentralized finance (DeFi) platform is based on the Sui blockchain, dedicated to yield tokenization and trading. 

The attack occurred on the 7th of September, and it relied on two severe vulnerabilities that were not detected as a result of a lack of auditing and control.

Unpacking the Breach: What Went Wrong?

Several weaknesses in the codebase were the source of the breach. One of them was a flash loan feature that was accidentally leaked. 

The other was a query function bug that allowed modifications to the internal state of the contract to be made illegally. 

There were security vulnerabilities that enabled hackers to compromise the smart contract, looting the assets of Nemo in the SY/PT liquidity pool.

This was deteriorated by a governance construct that was based on a single-signature address.  The unaudited code was deployed using this model by-passing the critical internal reviews. 

Additionally, the success of the exploit was facilitated by the fact that security experts sounded warning bells in August, but these were not taken seriously.

Trail of the Stolen Funds and Remedial Actions

The stolen assets were soon removed from the Sui network using the Wormhole CCTP bridge into Ethereum following the attack, making them difficult to recover. 

The majority of the $2.6 million is in one wallet address that security teams are looking at. Nemo Protocol has ceased smart contract updates permanently, and filed code patched with an emergency audit. 

They are also collaborating with blockchain security professionals to track stolen tokens and to plot user compensation.

A bitter experience about the risks of releasing untested or unthoroughly coded products in a fast-moving DeFi industry.

 The inability of Nemo to vett and confirm new contract features highlighted the importance of being more stringent with security controls within blockchain platforms.

The post-mortem of Nemo Protocol was published in detail on September 11 and pointed to the cause, as well as the mitigation measures still in progress. 

The case contributes to the rising alarm regarding the weakness of DeFi platforms, particularly those platforms that emphasize fast-moving innovation over well-being.