QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$2 590 000 USD
SEPTEMBER 2025
GLOBAL
NEMO PROTOCOL
DESCRIPTION OF EVENTS
Nemo Protocol introduces an innovative yield infrastructure designed to make decentralized finance (DeFi) accessible to everyone. It offers a range of products, including options for normal yield, fixed yield, leveraged yield, and liquidity provision. The protocol is powered by a significant $97.7M in total value locked (TVL) and is audited by Movebit, ensuring a high level of security. Users can choose from different yield models, such as Fixed Yield, where they can buy and hold tokens for a guaranteed return, or Leveraged Yield, which maximizes profits and hedges risks by collecting future yield from underlying assets.
The platform caters to a variety of users, from individual investors to gaming apps looking to leverage DeFi for growth. Its "Yield as a Service" model offers gaming applications the opportunity to boost their growth by bridging DeFi-native yield to their platforms, providing free cash to enhance gaming experiences. For liquidity providers, there is a moderate risk option where they can earn trading fees with minimal impermanent loss, alongside additional incentives for participating in the ecosystem.
Nemo Protocol’s ecosystem includes a comprehensive Yield Trading App that allows users to secure fixed yield with just a few clicks, maximizing their profits or hedging their positions. The platform also maintains a community presence across major social media platforms like Twitter, Telegram, and Discord, fostering engagement and connection with its users. With a focus on simplicity and security, the protocol aims to become a leader in the DeFi space by making advanced yield strategies accessible to everyone, regardless of their experience level.
The Nemo Protocol team faced a security issue due to a procedural mistake and development oversight. While the initial code audit was conducted properly, one developer inadvertently released a vulnerable version that included a public flash_loan function and a misconfigured get_sy_amount_in_for_exact_py_out function, both of which were prone to exploits. The flash_loan was initially intended to allow composability with other DeFi protocols but was misused due to reliance on insecure oracles. Additionally, the get_sy_amount_in_for_exact_py_out function, meant to enhance pricing precision, was incorrectly implemented with write capabilities, exposing the protocol to attacks. After receiving MoveBit's initial audit, the team failed to highlight new, unaudited features when submitting the final code, leading to the vulnerability being exploited.
The breach of the Nemo Protocol occurred when a developer released unaudited code that was vulnerable to exploit through flash loans. This release bypassed critical internal review processes, leading to security flaws in the codebase, including an exposed flash_loan function and a bug in a query function that allowed unauthorized modifications to the smart contract’s internal state. These vulnerabilities enabled hackers to exploit the SY/PT liquidity pool, leading to a significant financial loss of approximately $2.59 million on September 7, 2025. The breach was exacerbated by the use of a single-signature governance model, which allowed the deployment of this unaudited code without proper scrutiny.
The core of the attack involved two key vulnerabilities. First, the flash_loan function, which was intended to be internal, was mistakenly exposed to the public, although it was not the primary attack vector. It acted as an accelerant for the exploit, allowing the attacker to take advantage of other weaknesses. Second, the get_sy_amount_in_for_exact_py_out query function contained a flaw that allowed the attacker to modify the contract’s internal state. This vulnerability stemmed from a failure during the audit process: the developer introduced new, unaudited features into the code between the initial and final audits, which were subsequently deployed to the mainnet. This lapse in the audit process was compounded by the use of a single-signature governance structure that failed to prevent the unaudited code’s deployment.
The exploit unfolded in two phases. In the first phase, the attacker used the flash_loan function in conjunction with other calls to manipulate the internal state, ultimately draining the SY/PT liquidity pool by minting a large amount of SY. In the second phase, the pool’s imbalanced exchange rate created an opportunity for arbitrageurs to extract further assets by using the manipulated price to claim rewards. This attack was not fully mitigated even after the Asymptotic team warned the developer about a related vulnerability, which could have been addressed with their support.
The losses have been widely estimated at $2.6m USD, while CoinTelegraph provides a slightly more refined $2.59m USD.
After the discovery of the exploit, the Nemo Protocol team acted swiftly to mitigate the damage by using their multi-sig wallet to initiate a protocol pause. They immediately contacted the Sui Foundation and its security team, along with other security providers in the Sui ecosystem, to investigate the attack. After ruling out a Remove Liquidity bug and a simple oracle attack, the team identified the root cause as a combination of a flash loan and price manipulation exploit. Further fund tracing revealed that most of the stolen assets had been bridged to Ethereum via the CCTP.
The Nemo Protocol team began filing reports with major law enforcement agencies while also coordinating with security firms, centralized exchanges (CEXs), and ecosystem partners to explore liquidity solutions and track down the hackers. At the same time, they formulated a white-hat recovery plan aimed at recovering stolen funds and preventing further exploitation. Throughout the process, the team remained transparent with the community, maintaining open lines of communication and updating stakeholders on the progress of their recovery efforts.
The stolen assets were soon removed from the Sui network using the Wormhole CCTP bridge into Ethereum following the attack, making them difficult to recover.
The majority of the $2.6 million is in one wallet address that security teams are looking at. Nemo Protocol has ceased smart contract updates permanently, and filed code patched with an emergency audit.
The NEMO Protocol announced a bounty of $380,000 which is available to anyone who provides decisive and verifiable evidence that leads towards the recovery of the funds.
To address the financial losses from the exploit, Nemo Protocol introduced a recovery mechanism through the issuance of NEOM debt tokens, with each token representing $1 of user loss. Because the protocol lacked the liquidity to fully compensate users in USD, it created a system where users could migrate their remaining assets from the compromised pools into a new contract and receive NEOM tokens equivalent to their losses. This approach allowed users to participate in the recovery process while the protocol worked on regaining funds.
Users holding NEOM tokens were given two options: they could either exit immediately through an automated market maker (AMM) pool, or hold onto their tokens in hopes of future redemption from recovered assets. To facilitate exits, Nemo launched a liquidity pool on a major DEX on Sui, pairing NEOM with USDC. Meanwhile, any funds recovered from the attacker or other sources would be deposited into a redemption pool, allowing token holders to gradually reclaim value over time based on available funds.
Nemo are also collaborating with blockchain security professionals to track stolen tokens. The user compensation program continues.
The Nemo Protocol, a decentralized finance platform, was exploited after a developer released unaudited code containing vulnerabilities, including a public flash_loan function and a misconfigured query function, leading to a $2.6 million loss. The exploit drained assets from the SY/PT liquidity pool, and the stolen funds were bridged to Ethereum, making recovery difficult. In response, the team paused the protocol, identified the root cause, and implemented a recovery plan by issuing NEOM debt tokens to compensate users for their losses. Users can exit through a liquidity pool or hold the tokens for future recovery, while Nemo also offered a $380,000 bounty for information leading to the stolen funds' recovery, continuing to work with security professionals to track the assets and restore the protocol.
https://suiscan.xyz/mainnet/account/0x01229b3cc8469779d42d59cfc18141e4b13566b581787bf16eb5d61058c1c724/activity (Oct 8)
Nemo Protocol Issues NEOM Debt Tokens to Compensate $2.6M Exploit Victims (Oct 8)
Nemo Protocol Blames $2.6M Exploit on Developer Who Deployed Unaudited Code (Oct 8)
Nemo Protocol launches debt token program for $2.6 million exploit victims (Oct 8)
Auditor Flagged Issue Before $2.59M Nemo Hack, Team Admits (Oct 8)
Nemo Protocol Launches Debt Token Plan for Exploit Victims (Oct 8)
Nemo Protocol Exploit: Unvetted Code Lost Nemo $2.6M. (Oct 8)
Nemo Protocol exploited for $2.4 million (Oct 8)
Nemo Protocol - "Nemo is working as part of @SuiNetwork’s $10M Ecosystem Security Expansion program, to bring: Protection from scams & malicious dApps Real-time exploit alerts Stronger, more resilient contracts Together, Nemo'll keep improving to ensure safety." - Twitter/X (Oct 8)
Nemo Security Incident: Cause, Process, and Fund Tracing Report V1.1 (Oct 8)
Nemo Protocol - "Nemo experienced a security incident occurred last night, impacting the Market pool. We are investigating the matter and have suspended all smart contract activity for the time being. We plan to share when more information becomes available. All Vault assets remain untouched. Our team, together with partners, is actively working on solutions. We need your patience and trust as we ensure Nemo returns to normal operations." - Twitter/X (Oct 8)
Nemo Protocol Homepage (Oct 8)
Nemo Protocol Twitter/X Account (Oct 8)
