Nemo Protocol, a DeFi platform built on Sui, said $2.6M was stolen on Sept. 7 after two code flaws were added to its contract and deployed without full audits.
The company says the problems began in January when a developer introduced new, unaudited features. The exposed flash loan function and a broken query function let an attacker change contract state and drain funds from an SY/PT liquidity pool.
How the attack worked?
Nemo’s post-mortem says the attacker combined an exposed internal flash loan with a query routine that could modify state. That mix lets the attacker manipulate on-chain values and pull out substantial assets.
The team says the stolen tokens were moved off Sui to Ethereum using Wormhole CCTP. Most of the funds now sit in a single address, the report adds.
Also Read: Fortune Collective Founder Alexander Choi Suffers $996,000 Crypto Hack Via Video Call Crypto Scam
What went wrong in development?
According to Nemo, the risky code was added after the team received an audit from MoveBit earlier this year. A developer then merged new features that had not been audited.
The contract with those changes was pushed to the mainnet, and Nemo also points to a governance weakness, that is, upgrades were controlled by a single-signature account, which did not stop unreviewed code from being deployed. The team says it ignored a warning from Asymptotic in August about a related issue.
Response from Nemo
Nemo paused its core functions after the attack, and the team patched the two flaws and sent the updated code for an emergency audit. They are working with Sui security teams to trace the stolen funds.
Nemo also said it will prepare a plan to compensate users who lost assets. The statement includes a frank admission that the team leaned too much on past audits and did not keep strict checks at every step.
About Nemo Protocol
Nemo calls itself a native yield-trading and yield infrastructure platform on Sui. It focuses on tokenising yield so users can trade, hedge, or leverage interest-bearing positions.
The project is meant to simplify some DeFi moves, but the post-mortem shows how a single deployment error can lead to big losses.
Wider context in crypto security
The Nemo incident comes amid other recent attacks and warnings in the crypto space. A few days ago, we reported that Swiss asset manager SwissBorg reported a theft of about $41,000,000 after attackers exploited an API bug at one of its staking partners on Solana.Â
Separately, a couple of days ago, Ledger’s chief technology officer, Charles Guillemet, warned that a supply-chain attack is underway after a trusted developer’s NPM account was taken over. He said compromised packages have more than 1,000,000,000 downloads.
Those events underline how many different failure points exist, that is, smart contracts, third-party services, and developer ecosystems. Nemo’s breach is another example of how code changes, even small ones, can cause wide damage when safeguards fail.
What users and projects should watch?
Nemo’s report highlights a few concrete lessons, first, every code change should get fresh review and testing, even after previous audits.
Second, governance controls matter; relying on a single key for upgrades creates a single point of failure. Third, external warnings from security teams should prompt immediate follow-up, not delayed action.
Nemo says it will adopt stronger safeguards, and the firm did not provide a timetable for compensation or a public plan for new governance rules. It did say it will keep working with security groups to try to recover funds.
The fallout from this exploit will play out in the weeks ahead, and tracing bridged funds can take time, and on-chain recovery is rarely straightforward. For now, Nemo has stopped key functions and asked outside experts to check its fixes.
Also Read: Kinto Shuts Down Operations Following Major $1.55 Million Crypto Hack, $K Token Plunged By 81%