Nemo Protocol Blames $2.6M Exploit on Developer Who Deployed Unaudited Code

Nemo Protocol released a comprehensive post-mortem blaming a rogue developer for deploying unaudited code containing critical vulnerabilities that enabled a $2.59 million exploit on September ￰2￱ DeFi yield platform detailed how the unnamed developer secretly introduced new features without audit approval and used unauthorized smart contract ￰3￱ attack exploited two key vulnerabilities: a flash loan function incorrectly exposed as public and a query function that could modify contract state without ￰4￱ bridged stolen funds to Ethereum via Wormhole CCTP, with $2.4 million currently held in the hacker’s ￰5￱ many of you know, Nemo Protocol suffered a security incident on Sept ￰6￱ we are releasing our full incident report to provide transparency into our response, including the root cause, learnings, and next ￰7￱ sincerely apologize for the impact on @Movebit and for the… ￰8￱ — Nemo (@nemoprotocol) September 11, 2025 How it All Started The root cause traces to January 2025, when a developer submitted code containing unaudited features to MoveBit ￰9￱ developer failed to highlight new additions while mixing previously audited fixes with unreviewed ￰10￱ issued its final audit report based on incomplete ￰11￱ same developer then deployed contract version 0xcf34 using single-signature address 0xf55c rather than the audit-confirmed hash, bypassing internal review ￰12￱ team identified the critical C-2 vulnerability in August, warning that some functions could modify code without ￰13￱ developer dismissed the severity and failed to implement necessary fixes despite available ￰14￱ execution began at 16:00 UTC on September 7 with hackers leveraging the flash loan function and the get_sy_amount_in_for_exact_py_out query ￰15￱ team detected anomalies thirty minutes later when YT yields displayed over 30x ￰16￱ August 11, we reported a Critical vulnerability (C-2) to Nemo regarding unauthorized manipulation of py_index_stored, an index variable which affects all interest, yield, and conversion ￰17￱ warned of potential "incorrect payouts, market disruption, and loss of… ￰0￱ — Asymptotic (@AsymptoticTech) September 11, 2025 The Developer’s Secret Code Deployment In late 2024, initial audit submissions correctly configured flash_loan as an internal non-callable function while development teams iterated on ￰18￱ developer drew inspiration from Aave and Uniswap protocols to maximize composability through flash loan capabilities.

However, the implementation critically underestimated security risks and incorrectly used public methods rather than internal ￰19￱ earlier-mentioned function, intended to enhance swap quoting mechanisms, contained implementation ￰20￱ designed for read-only purposes were coded with write capabilities, creating the primary attack ￰21￱ January 5, 2025, the developer integrated unaudited features into the final codebase after receiving MoveBit’s initial audit ￰22￱ mixed version contained both fixed issues and new unaudited features without explicit scope ￰23￱ developer communicated directly with the MoveBit team on January 6, obtaining final audit reports through modification of previous ￰24￱ of using confirmation hashes from audit reports, separate upgrades and deployments occurred without the internal team’s knowledge.

Single-signature deployment address enabled unauthorized contract version ￰25￱ version remained in the active code until exploit occurrence despite subsequent security procedure implementations. April’s transition to multi-signature upgrade protocols failed to address the fundamental ￰26￱ developer transferred only contract caps while maintaining vulnerable code rather than deploying audit-confirmed ￰27￱ Protocol loses $2.4M to hackers on Sui blockchain as TVL crashes 75% from $6.3M, marking the third major DeFi hack this month alone. #Sui #Nemo ￰1￱ — ￰28￱ (@cryptonews) September 8, 2025 Fund Recovery and Security Remediation Efforts Stolen assets totaling $2.59 million were quickly moved through sophisticated laundering ￰29￱ attacker wallet initiated cross-chain transfers at 16:10 UTC via Wormhole CCTP before final aggregation on Ethereum.

However, security teams established monitoring protocols for the holding address while coordinating with centralized exchanges on asset freezing. White-hat agreement frameworks and hacker bounty programs were also implemented to encourage fund ￰30￱ for the remediation effort, emergency incremental audits were submitted to Asymptotic with plans for additional independent security firm reviews. Manual-fix functions were also integrated into new contract patches to enable multi-signature wallet restoration of corrupted ￰31￱ a result of the hack, the total value locked instantly collapsed from $6.3 million to $1.63 million now as users withdrew over $3.8 million worth of USDC and SUI tokens.