TLDR
- Nemo Protocol’s $2.6 million exploit stemmed from unaudited code and developer errors.
- The vulnerabilities were introduced in January and led to unauthorized access and fund theft.
- Nemo has paused operations, patched the issues, and is working on compensating affected users.
- The attack exploited a flash loan function and query flaw, draining assets from liquidity pools.
Nemo Protocol, a DeFi platform built on the Sui blockchain, has outlined the causes of its $2.6 million exploit earlier this month. The platform revealed in a post-mortem report that the attack was due to two vulnerabilities introduced into its code by a developer and deployed without proper auditing. The breach, which occurred on September 7, exploited flaws that allowed unauthorized access and manipulation of its smart contract.
Vulnerabilities in the Codebase
The Nemo team explained that the exploit stemmed from two primary issues within the code. First, an internal flash loan function was accidentally exposed to the public. Second, a flaw in a query function enabled unauthorized state changes within the contract. These vulnerabilities were introduced in January 2023, after the protocol received an initial audit report from blockchain security firm MoveBit. Despite the warnings, one of Nemo’s developers incorporated new, unaudited features into the codebase and deployed them to the mainnet.
Notably, the governance structure of the protocol relied on a single-signature address for upgrades, which allowed the unvetted code to be deployed. The team acknowledged that this system failed to prevent risky updates from being introduced. Furthermore, despite a security warning from Asymptotic in August regarding a separate vulnerability, the team did not take immediate action to address the issue.
Exploit Mechanics and Fund Movement
The attacker exploited the combination of the flash loan function and the query function vulnerability to manipulate the contract’s internal state. This enabled the unauthorized draining of assets from the SY/PT liquidity pool. The stolen funds were moved from the Sui network to Ethereum via the Wormhole CCTP bridge. As of now, the majority of the stolen assets remain in a single address.
In response to the breach, Nemo Protocol has paused its core functions to prevent further damage. The team has already patched the vulnerabilities and submitted the updated code for an emergency audit. They are working closely with security teams on the Sui blockchain to trace the stolen funds. Furthermore, the team is planning to compensate affected users.
Acknowledging the Failures
Despite multiple audits and safety measures, Nemo acknowledged that it had relied too heavily on past assurances without maintaining rigorous scrutiny at every step. The report stated that the team’s failure to catch these vulnerabilities during the development phase contributed to the exploit.
Nemo Protocol, a yield infrastructure platform, focuses on yield tokenization and aims to improve DeFi interactions. This breach has raised concerns about the platform’s code integrity, but the team is taking steps to address the issues and prevent future attacks.
