Nemo Protocol rolls out debt token plan for $2.6M hack victims

Sui-based yield trading platform Nemo Protocol has announced a debt token compensation program for users affected by a $2.59 million exploit on September ￰0￱ repayment plan comes after the project’s team admitted an unaudited code change left its system vulnerable to ￰1￱ a blog post published Sunday on Notion, Nemo revealed a three-step recovery plan based on the issuance of NEOM debt ￰2￱ program is meant to return value to victims over time through a dedicated redemption pool funded by recovered assets, liquidity loans, and ￰3￱ will receive NEOM tokens pegged 1:1 to the value of their losses in USD terms, based on an onchain snapshot taken when the protocol was paused. “ While we would have preferred to reimburse everyone directly in USD, we do not have sufficient funds or capital raised to do so, which is why we adopted the debt token strategy as the most viable path forward ,” the yield trading protocol team ￰4￱ protocol issues three-step recovery path The first phase of the recovery plan will see users reclaim the residual value left in compromised pools through a one-click ￰5￱ assets will be transferred into new, multi-audited smart contracts managed jointly by Nemo and its ￰6￱ second phase is the distribution of NEOM tokens, where, after completing the migration process, victims will simultaneously receive debt tokens equivalent to their ￰7￱ example, a $1 loss translates to one NEOM ￰8￱ last phase gives them choices of how to handle their ￰9￱ affected by the hack can immediately exit through automated market makers or hodl the tokens while awaiting recovery from frozen or reclaimed ￰10￱ has also launched a dedicated portal to support affected users, a one-stop module with three main features, including eligibility and loss ￰11￱ a user connects their wallet, the system automatically identifies positions on all affected pools and displays three figures: original asset value, residual value, and total ￰12￱ is a one-click claim tool, where users can transfer all residual liquidity provider tokens and yield tokens into secure contract pools with a single ￰13￱ but not least is the NEOM claim module, which shows the exact number of debt tokens allocated to each user based on their total loss and an option to “claim NEOM.” Nemo exploiter took advantage of flawed smart contract According to a post-mortem report from Nemo, a malicious actor used a flaw in Nemo’s smart contract design to execute the ￰14￱ security company PeckShield reported that the attacker stole Circle’s USDC stablecoin, bridging the tokens from Arbitrum to Ether before dispersing them through several laundering ￰15￱ the protocol’s smart contract lies a flaw lay function which helps the trading platform reduce ￰16￱ code, called “get_sy_amount_in_for_exact_py_out,” was added onchain in January without the necessary audit from smart contract firm ￰17￱ when an upgrade was installed in April to tighten deployment checks, the vulnerable code had already been embedded in ￰18￱ attacker initiated cross-chain transfers at 16:10 UTC on September 7 via Wormhole’s Circle cross-chain transfer protocol (CCTP).

In total, $2.59 million of Nemo’s funds was rapidly siphoned using flash loans from pools including sUSDC, sbUSDT, and sSUI. Asymptotic’s team identified the vulnerability in a preliminary report delivered to Nemo on August 11. However, the platform conceded that it failed to address the issue in time before attackers found the ￰19￱ releasing a full prognosis of the exploit, Nemo has been coordinating with blockchain security teams and centralized exchanges (CEXs) to freeze stolen ￰20￱ seen where it ￰21￱ in Cryptopolitan Research and reach crypto’s sharpest investors and builders.