Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / coincentral /
Nemo Protocol Reveals $2.6 Million Exploit Stemming from Critical Code Vulnerabilities

Nemo Protocol Reveals $2.6 Million Exploit Stemming from Critical Code Vulnerabilities

Author:
coincentral
Published:
2025-09-11 10:05:43
7
2

Nemo Protocol Explains $2.6 Million Exploit Caused by Code Vulnerabilities

Code flaws trigger multi-million dollar breach—Nemo Protocol faces the music after attackers exploit smart contract weaknesses.

The Breakdown

Attackers pinpointed vulnerabilities in Nemo's protocol architecture, bypassing security layers and siphoning $2.6 million in digital assets. The exploit leveraged unchecked external calls and flawed logic in liquidity mechanisms.

Behind the Hack

Weak access controls and improper validation mechanisms gave hackers an open door. They manipulated price oracles and executed reentrancy attacks—classic moves in the DeFi exploit playbook.

Response Mode

Nemo's team halted operations, patched the vulnerabilities, and launched a post-mortem. They’re now working with security auditors to prevent a repeat—because nothing says 'trust us' like getting hacked first.

Finance, huh? Where else can you lose $2.6 million and call it a 'learning experience'?

TLDR

  • Nemo Protocol’s $2.6 million exploit stemmed from unaudited code and developer errors.
  • The vulnerabilities were introduced in January and led to unauthorized access and fund theft.
  • Nemo has paused operations, patched the issues, and is working on compensating affected users.
  • The attack exploited a flash loan function and query flaw, draining assets from liquidity pools.

Nemo Protocol, a DeFi platform built on the sui blockchain, has outlined the causes of its $2.6 million exploit earlier this month. The platform revealed in a post-mortem report that the attack was due to two vulnerabilities introduced into its code by a developer and deployed without proper auditing. The breach, which occurred on September 7, exploited flaws that allowed unauthorized access and manipulation of its smart contract.

Vulnerabilities in the Codebase

The Nemo team explained that the exploit stemmed from two primary issues within the code. First, an internal flash loan function was accidentally exposed to the public. Second, a flaw in a query function enabled unauthorized state changes within the contract. These vulnerabilities were introduced in January 2023, after the protocol received an initial audit report from blockchain security firm MoveBit. Despite the warnings, one of Nemo’s developers incorporated new, unaudited features into the codebase and deployed them to the mainnet.

Notably, the governance structure of the protocol relied on a single-signature address for upgrades, which allowed the unvetted code to be deployed. The team acknowledged that this system failed to prevent risky updates from being introduced. Furthermore, despite a security warning from Asymptotic in August regarding a separate vulnerability, the team did not take immediate action to address the issue.

Exploit Mechanics and Fund Movement

The attacker exploited the combination of the flash loan function and the query function vulnerability to manipulate the contract’s internal state. This enabled the unauthorized draining of assets from the SY/PT liquidity pool. The stolen funds were moved from the Sui network to ethereum via the Wormhole CCTP bridge. As of now, the majority of the stolen assets remain in a single address.

In response to the breach, Nemo Protocol has paused its Core functions to prevent further damage. The team has already patched the vulnerabilities and submitted the updated code for an emergency audit. They are working closely with security teams on the Sui blockchain to trace the stolen funds. Furthermore, the team is planning to compensate affected users.

Acknowledging the Failures

Despite multiple audits and safety measures, Nemo acknowledged that it had relied too heavily on past assurances without maintaining rigorous scrutiny at every step. The report stated that the team’s failure to catch these vulnerabilities during the development phase contributed to the exploit.

Nemo Protocol, a yield infrastructure platform, focuses on yield tokenization and aims to improve DeFi interactions. This breach has raised concerns about the platform’s code integrity, but the team is taking steps to address the issues and prevent future attacks.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved