Michaela
Yield trading platform Nemo on the Sui Network has confirmed that a recent exploit stemmed from a known vulnerability in non-audited code, which had been deployed under multisignature controls.
Key points:
- Nemo Protocol suffered a $2.6M exploit due to non-audited code deployed under single-signature controls, bypassing standard audit procedures.
- The vulnerability in the “get_sy_amount_in_for_exact_py_out” function allowed an attacker to manipulate the system; the issue traces back to January when unaudited features were added post-audit.
- Nemo has paused core functions, patched the code, removed the flash loan feature, added a manual-reset, and is planning user compensation while collaborating with security teams.
An official incident report revealed that a flaw in the protocol’s “get_sy_amount_in_for_exact_py_out” function, designed to minimize slippage, enabled an attacker to manipulate the system on September 8. The function had been deployed on-chain without undergoing a formal audit by smart contract security firm Asymptotic.
Asymptotic’s preliminary report flagged the vulnerability, but Nemo acknowledged that its team failed to address the issue promptly. The deployment process required only a single signature, which allowed a developer to push unaudited code on-chain without revealing the modifications. Additionally, the developer bypassed protocol by not using the confirmation hash provided in the audit, further violating standard deployment procedures.
The in-depth investigation traced the issue back to January. Between MoveBit’s initial audit and the release of its final report, a Nemo developer added a new, unaudited feature to the code submitted for review. As a result, a version of the contract containing this unaudited code was deployed to the mainnet.
The underlying governance flaw was the protocol’s reliance on a single-signature address for upgrades, which failed to prevent unvetted code from going live. Critically, the developer did not use the version of the contract that had been confirmed by the auditing firm.
Furthermore, the analysis revealed that Nemo has paused its core protocol functions to prevent additional losses, while collaborating with multiple security teams and sharing relevant addresses to help freeze assets on centralized exchanges. A patch has been developed and is currently under audit by Asymptotic.
The team removed the flash loan function, corrected the vulnerable code, and implemented a manual-reset feature to restore affected values. Nemo is also designing a user compensation plan, including debt restructuring within the tokenomics framework, to mitigate the impact of the exploit.
The Nemo incident emphasizes the ongoing challenges yield protocols face in balancing rapid innovation with robust security. As DeFi continues to expand, the episode serves as a reminder for projects to prioritize thorough audits, implement stronger governance safeguards, and maintain transparent communication with their communities.
Follow on X
Follow on Instagram
Read More
- Nasdaq Pushes SEC to Approve Tokenized Stock Market on Blockchain
- Putin Adviser Says US Using Stablecoins, Gold to Tackle $37T Federal Debt
- OpenSea Launches $1M NFT Reserve, Buys CryptoPunk to Kick It Off
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
