Nemo Protocol Blames $2.6M Exploit on Developer Who Deployed Unaudited Code
Nemo Protocol launched a complete post-mortem blaming a rogue developer for deploying unaudited code containing important vulnerabilities that enabled a $2.59 million exploit on September 7.
The DeFi yield platform detailed how the unnamed developer secretly launched new options with out audit approval and used unauthorized good contract variations.
The assault exploited two key vulnerabilities: a flash mortgage perform incorrectly uncovered as public and a question perform that would modify contract state with out authorization.
Hackers bridged stolen funds to Ethereum through Wormhole CCTP, with $2.4 million at the moment held within the hacker’s tackle.
How it All Started
The root trigger traces to January 2025, when a developer submitted code containing unaudited options to MoveBit auditors.
The developer failed to focus on new additions whereas mixing beforehand audited fixes with unreviewed performance.
MoveBit issued its last audit report based mostly on incomplete data. The similar developer then deployed contract model 0xcf34 utilizing single-signature tackle 0xf55c moderately than the audit-confirmed hash, bypassing inside evaluate processes.
Asymptotic workforce identified the important C-2 vulnerability in August, warning that some capabilities may modify code with out permission.
The developer dismissed the severity and didn’t implement mandatory fixes regardless of out there help.
Attack execution started at 16:00 UTC on September 7 with hackers leveraging the flash mortgage perform and the get_sy_amount_in_for_exact_py_out question vulnerability.
The workforce detected anomalies thirty minutes later when YT yields displayed over 30x returns.
The Developer’s Secret Code Deployment
In late 2024, preliminary audit submissions accurately configured flash_loan as an inside non-callable perform whereas improvement groups iterated on options.
The developer drew inspiration from Aave and Uniswap protocols to maximise composability by way of flash mortgage capabilities.
However, the implementation critically underestimated safety dangers and incorrectly used public strategies moderately than inside capabilities.
The earlier-mentioned perform, meant to boost swap quoting mechanisms, contained implementation errors.
Functions designed for read-only functions have been coded with write capabilities, creating the first assault vector.
On January 5, 2025, the developer built-in unaudited options into the ultimate codebase after receiving MoveBit’s preliminary audit report.
The combined model contained each fastened points and new unaudited options with out specific scope highlighting.
The developer communicated immediately with the MoveBit workforce on January 6, acquiring last audit stories by way of modification of earlier variations.
Instead of utilizing affirmation hashes from audit stories, separate upgrades and deployments occurred with out the inner workforce’s information.
Single-signature deployment tackle enabled unauthorized contract model activation. This model remained within the energetic code till exploit prevalence regardless of subsequent safety process implementations.
April’s transition to multi-signature improve protocols failed to deal with the elemental subject.
The developer transferred solely contract caps whereas sustaining susceptible code moderately than deploying audit-confirmed variations.
Nemo Protocol loses $2.4M to hackers on Sui blockchain as TVL crashes 75% from $6.3M, marking the third main DeFi hack this month alone.#Sui #Nemohttps://t.co/ZrVfJk2cZr
— Cryptonews.com (@cryptonews) September 8, 2025
Fund Recovery and Security Remediation Efforts
Stolen belongings totaling $2.59 million have been rapidly moved by way of refined laundering operations.
Primary attacker pockets initiated cross-chain transfers at 16:10 UTC through Wormhole CCTP earlier than last aggregation on Ethereum.
However, safety groups established monitoring protocols for the holding tackle whereas coordinating with centralized exchanges on asset freezing.
White-hat settlement frameworks and hacker bounty programs have been additionally applied to encourage fund restoration.
As for the remediation effort, emergency incremental audits have been submitted to Asymptotic with plans for extra impartial safety agency opinions.
Manual-fix capabilities have been additionally built-in into new contract patches to allow multi-signature pockets restoration of corrupted code.
As a results of the hack, the overall worth locked immediately collapsed from $6.3 million to $1.63 million now as customers withdrew over $3.8 million price of USDC and SUI tokens.
To compensate affected customers, plans have been put in place for debt-structuring design on the tokenomics degree, with neighborhood sharing scheduled upon finalization.
The protocol apologized for safety failures whereas implementing enhanced monitoring, stricter controls, extra audit checkpoints, and expanded bug bounty packages.
The exploit contributes to the continued 2025’s devastating DeFi safety disaster with over $2.37 billion in losses throughout 121 incidents within the first half alone.
So far this 12 months, September emerged as notably damaging with SwissBorg’s $41.5 million SOL hack, npm supply chain attacks affecting billions of downloads, and a number of protocol exploits taking place virtually on the similar time.
The publish Nemo Protocol Blames $2.6M Exploit on Developer Who Deployed Unaudited Code appeared first on Cryptonews.
