A $2.59M Hack Exposes DeFi’s Costly Rush to Code

A $2.59 million security breach at the Sui-based yield trading protocol Nemo has been attributed to a vulnerability in unaudited code, according to the project’s post-mortem analysis. The exploit occurred on September 7, when an attacker exploited a flaw in the function “get_sy_amount_in_for_exact_py_out,” which was deployed onchain without undergoing the necessary smart contract audit. The vulnerability was previously identified in a preliminary report by auditor Asymptotic.

The Nemo team admitted that it failed to address the security concern in a timely manner despite being alerted to the risk. The deployment of new code required only a single signature, allowing a developer to bypass standard security protocols by pushing unreviewed code without disclosing the changes. Additionally, the team did not follow the required deployment procedure, such as using the confirmation hash provided by the auditor.

The issue had been present in the code since early January, well before the upgrade process was implemented in April, which could have prevented the deployment of unvetted code. Asymptotic had raised the concern on August 11, but the Nemo team reportedly focused on other priorities, leaving the vulnerability unaddressed. This delay highlights a broader pattern in the blockchain industry, where preventable exploits continue to occur due to lapses in protocol management.

In response to the incident, Nemo has taken several mitigation measures. The protocol has paused core functions to prevent further losses and is working with multiple security teams to freeze assets on centralized exchanges. A patch is now under development, with Asymptotic auditing the updated code. The team has removed the flash loan function, corrected the vulnerable code, and added a manual-reset feature to restore affected values. Additionally, Nemo is working on a compensation plan for users, which includes debt structuring at the tokenomics level.

The Nemo breach is the latest in a series of high-profile security incidents in the crypto space. In July, NFT platform SuperRare suffered a $730,000 exploit linked to a basic smart contract bug that experts say should have been identified through routine testing. These cases underscore the need for rigorous security practices in decentralized finance (DeFi) platforms.

Nemo has issued an apology to its users and acknowledged the importance of maintaining constant vigilance in security and risk management. The team has pledged to enhance its defenses and implement stricter protocol controls to prevent future incidents.