Nemo Protocol, a decentralized finance (DeFi) platform built on the Sui blockchain, has confirmed that a $2.6 million exploit earlier this month stemmed from unaudited code changes introduced by one of its developers.
In a post-mortem report published late Wednesday, the team explained that the September 7 breach was triggered by two vulnerabilities: an internal flash loan function that was accidentally left open to the public and a query function flaw that enabled unauthorized contract state changes.
According to Nemo, these issues date back to January, shortly after the protocol received its first audit from blockchain security firm MoveBit. A developer later added new features that bypassed formal review, and this version of the contract was deployed to the mainnet.
The report pointed to governance as a major factor, noting that the platform relied on a single-signature upgrade system. This structure allowed unaudited code to go live and failed to block risky changes. The team also admitted it had not acted on a warning from Asymptotic, another security firm, which flagged a related concern in August.
The attacker exploited both flaws to manipulate contract states and siphon assets from Nemo’s SY/PT liquidity pool. Funds were then bridged from Sui to Ethereum via Wormhole’s CCTP, with most of the stolen tokens still sitting in a single address.
In response, Nemo has paused its core functions, patched the vulnerabilities, and sent its updated code for an emergency audit. The team is also working with Sui ecosystem security groups to track the stolen assets and has begun drafting a compensation plan for affected users.
“Despite multiple audits and safeguards, we acknowledge that we relied too heavily on past assurances, rather than applying uncompromising scrutiny at every stage,” the protocol said in its report.
Nemo Protocol describes itself as a yield infrastructure and yield-trading platform on Sui, designed to help users tokenize, trade, and manage yield strategies more efficiently.
