Nemo Protocol Issues NEOM Debt Tokens to Compensate $2.6M Exploit Victims

Nemo Protocol launched its NEOM debt token program to compensate victims of a $2.6 million exploit that devastated the Sui-based DeFi platform on September ￰2￱ protocol will issue one NEOM token for every dollar lost, allowing users to claim debt tokens while migrating remaining assets to secure multi-audited ￰3￱ hack originated from a rogue developer who secretly deployed unaudited code containing critical vulnerabilities, bypassing internal review processes through single-signature ￰4￱ attacker exploited flash loan functions incorrectly exposed as public and query functions that could modify contract state without authorization. Nemo’s total value locked collapsed from $6.3 million to $1.57 million as users withdrew over $3.8 million worth of USDC and SUI tokens following the ￰5￱ exploit occurred during one of crypto’s worst security days in 2025, coinciding with SwissBorg’s $41.5 million SOL hack and the Yala stablecoin depeg ￰6￱ Update: Following the September 8 security incident, Nemo Protocol has finalized a comprehensive compensation ￰7￱ remain committed to transparency and ￰8￱ are deeply grateful to our community and partners for their trust and support, and we will… ￰9￱ — Nemo (@nemoprotocol) September 15, 2025 Rogue Developer’s Secret Code Deployment Triggers Security Catastrophe The post-mortem investigation revealed systematic security failures dating to January 2025 when the unnamed developer submitted code containing unaudited features to MoveBit ￰10￱ developer failed to highlight new additions while mixing previously audited fixes with unreviewed functionality, creating a compromised ￰11￱ issued its final audit report based on incomplete information, as the developer used unauthorized smart contract ￰12￱ team deployed contract version 0xcf34 using a single-signature address 0xf55c, rather than audit-confirmed hashes, thereby circumventing established review protocols ￰13￱ team identified the critical C-2 vulnerability in August, warning that functions could modify code without ￰14￱ developer dismissed severity concerns and failed to implement necessary fixes despite available support from security ￰15￱ execution began at 16:00 UTC on September 7 with hackers leveraging the flash loan function and a known query ￰16￱ occurred thirty minutes later when YT yields displayed over 30x returns, indicating system compromise. @nemoprotocol blames $2.6M exploit on rogue developer who deployed unaudited code with flash loan vulnerabilities, bypassing reviews. #Sui #Crypto #hack ￰0￱ — ￰17￱ (@cryptonews) September 11, 2025 The developer drew inspiration from Aave and Uniswap protocols to maximize composability through flash loan capabilities, but critically underestimated security ￰18￱ designed for read-only purposes contained write capabilities, creating the primary attack vector that enabled the devastating ￰19￱ Recovery Program Offers Market-Based Exit Strategy The three-step recovery program begins with asset migration, allowing users to transfer residual value from compromised pools to new secure contracts through one-click ￰20￱ simultaneously receive NEOM debt tokens pegged 1:1 to their USD losses determined by pre-hack ￰21￱ will inject value into NEOM through a multi-tiered redemption waterfall model, with recovered hacker funds forming the primary source for proportional ￰22￱ capital injections, such as liquidity loans and strategic investments, will provide secondary support as confidence ￰23￱ protocol established immediate AMM liquidity pools with significant depth on major Sui DEXs, creating instant market-based exit paths for users prioritizing liquidity over long-term ￰24￱ NEOM/USDC trading pair enables market pricing based on perceived recovery timelines and protocol success ￰25￱ hack contributes to 2025’s devastating DeFi security crisis, with over $2.37 billion lost across 121 incidents during the first half ￰26￱ emerged as particularly destructive with SwissBorg’s SOL compromise, npm supply chain attacks affecting billions of downloads , and the Yala stablecoin losing its dollar ￰27￱ Yala stablecoin ($YU), a Bitcoin-native over-collateralized stablecoin backed by Polychain, lost its dollar peg after a protocol attack sent $YU crashing to $0.2074. #Stablecoin #Bitcoin ￰1￱ — ￰28￱ (@cryptonews) September 14, 2025 Particularly, the Yala stablecoin (YU) attack , which happened this weekend, saw YU lose its dollar peg following a protocol attack that sent the Bitcoin-native over-collateralized stablecoin crashing to $0.2074 before recovering to $0.917.

The suspected attacker minted 120 million YU tokens on Polygon and sold 7.71 million across Ethereum and Solana for 7.7 million ￰29￱ Nemo Protocol, stolen assets totaling $2.59 million moved through sophisticated laundering operations via Wormhole CCTP before final aggregation on ￰30￱ teams established monitoring protocols for holding addresses while coordinating with centralized exchanges on potential asset freezing ￰31￱ protocol implemented emergency incremental audits with Asymptotic while planning additional independent security firm reviews.