According to Cointelegraph, the Sui-based yield trading protocol Nemo experienced a significant loss of approximately $2.59 million following a security breach. The incident, which occurred on September 7, was attributed to a vulnerability in the protocol's code that had not been audited. Nemo's post-mortem analysis revealed that the flaw was located in a function designed to minimize slippage, allowing the attacker to manipulate the protocol's state. This function, known as “get_sy_amount_in_for_exact_py_out,” was deployed on the blockchain without undergoing an audit by smart contract auditor Asymptotic.
The issue was initially identified by Asymptotic in a preliminary report. However, Nemo's team acknowledged that they failed to address the security concern promptly. The deployment of new code required only a single signature, enabling the developer to introduce unaudited code without disclosing the changes. Additionally, the developer did not utilize the confirmation hash provided in the audit, thereby bypassing standard procedures. This incident is reminiscent of a previous hack involving the NFT trading platform SuperRare, which suffered a $730,000 exploit in July due to a basic smart contract bug that could have been prevented with standard testing practices.
The vulnerable code was introduced in early January, and although an upgrade procedure was implemented in April to prevent such issues, the vulnerability had already been integrated into the production environment. Asymptotic alerted Nemo to the vulnerability on August 11, but the project was preoccupied with other matters and did not address the issue before the exploit occurred. In response to the breach, Nemo has paused its protocol's core functions to prevent further losses. The team is working with multiple security teams and providing relevant addresses to assist in freezing assets on centralized exchanges.
A patch has been developed, and Asymptotic is currently auditing the new code. Nemo has removed its flash loan function, fixed the vulnerable code, and added a manual-reset feature to restore affected values. The project is also designing a compensation plan for users, which includes debt structuring at the tokenomics level. Nemo has apologized to its users and emphasized the importance of constant vigilance in security and risk management. The team has committed to enhancing its defenses and implementing stricter protocol controls to prevent future incidents.