The Sui-based DeFi yield trading protocol Nemo suffered a devastating security breach on September 7, 2025, with attackers exploiting unaudited contract code to drain approximately $2.59 million in user funds from the protocol’s SY/PT liquidity pool. The incident exposes a persistent and dangerous pattern in DeFi development: deploying code changes without independent security review.
The Exploit Mechanics
The attack vector combined two critical vulnerabilities that had been silently lurking in Nemo’s smart contracts since January 2025. According to the protocol’s own post-mortem report, a developer introduced two unreviewed code changes after MoveBit completed its initial security audit: a flash loan function that was mistakenly set to public visibility, and a query function that permitted unauthorized state modifications to the contract’s internal pricing logic.
On September 7, attackers exploited these twin flaws in a coordinated strike. They leveraged the exposed flash loan capability to borrow significant capital within a single atomic transaction, then manipulated the faulty query function to distort the protocol’s internal pricing oracle. By feeding manipulated price data back into the system, the attackers were able to mint a large quantity of SY tokens at artificially deflated values, ultimately draining the SY/PT pool of its holdings.
The stolen funds were rapidly bridged from the Sui network to Ethereum via Wormhole’s cross-chain transfer protocol. As of the latest on-chain tracking, approximately $2.4 million in assets remains consolidated in a single Ethereum wallet, with secondary arbitrageurs also extracting additional value from the manipulated pool during the chaos.
Affected Systems
Nemo Protocol operates as a yield trading platform built on the Sui blockchain, offering users leveraged positions through its SY and PT token mechanism. The breach directly impacted all users holding positions in the SY/PT liquidity pool, which constituted the protocol’s primary trading venue.
This incident marks the seventh major exploit linked to the Sui ecosystem within the past twelve months, a worrying trend that includes the catastrophic $223 million Cetus breach in May 2025. While the Nemo hack is considerably smaller in financial terms, it raises fundamental questions about the security practices employed by protocols building on the Sui network.
September 2025 has proven to be one of the most damaging months for crypto security this year. CertiK reported $155.9 million in total losses across 14 major incidents, with wallet compromises alone accounting for $100.8 million.
The Mitigation Strategy
Upon detecting unusual yield fluctuations, the Nemo team halted all protocol operations and initiated an emergency response. The technical mitigation involved three key steps: completely removing the compromised flash loan function, locking all query methods to read-only access, and engaging Asymptotic security firm for an emergency re-audit of the entire codebase.
The most significant governance change was the protocol’s transition from single-signature to multi-signature upgrade controls. The original breach was enabled by a single-signature wallet that allowed a developer to deploy unreviewed code directly to mainnet. Nemo had actually moved to multi-sig in April 2025, but the vulnerable contract had already been active for months before that transition occurred.
The protocol is also working with security firms, centralized exchanges, and law enforcement to trace the stolen funds and has announced a user compensation plan that may include debt restructuring.
Lessons Learned
The Nemo Protocol incident underscores several critical lessons for the DeFi industry. First, audits are not one-time events. Any code change, no matter how minor, must undergo independent security review before deployment. Second, single-signature upgrade mechanisms represent an unacceptable single point of failure for protocols managing millions in user funds. Third, when security researchers flag vulnerabilities, as Asymptotic did in August 2025, those warnings must be treated as critical priorities.
With Bitcoin trading at $111,167 and the broader crypto market holding steady, the incentive for attackers has never been higher. Protocols that treat security as an afterthought will continue to be targeted.
User Action Required
Users who held funds in Nemo Protocol’s SY/PT pool should monitor the protocol’s official channels for updates on the compensation plan. All DeFi users should verify whether the protocols they use employ multi-signature upgrade controls and whether their deployed code matches audited versions. Tools like Sourcify and Etherscan’s contract verification can help users confirm that running code corresponds to reviewed source.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
The fundamental value proposition of crypto keeps getting stronger
Interesting perspective — I hadn’t considered that angle before
Education is still the biggest barrier to mainstream adoption
Education remains the barrier because most crypto content is either too technical or too hype-driven. Missing the middle ground for curious newcomers
Mass adoption is happening incrementally — people just don’t notice
amara diallo is right, mass adoption is incremental. 5 years ago explaining Bitcoin to my family was impossible. now my aunt asks me about ETFs at dinner
two unreviewed code changes sitting since January and nobody caught them until September. the audit was a checkbox not a process
$2.59M drained because a dev pushed a public flash loan function without review. one line of code visibility check would have prevented the whole thing