Nemo Protocol Loses $2.6M in Sui DeFi Hack Due to Unaudited Code
.png)
Sui-based DeFi platform Nemo Protocol suffered a $2.6 million exploit on Sept. 7 due to two vulnerabilities in its code: an internal flash loan function exposed to the public and a flawed query function that allowed unauthorized state changes. These issues were introduced in January when a developer added unaudited features despite prior audit reports. The attack exploited the combination of these flaws to drain assets from the SY/PT liquidity pool, moving most funds to Ethereum via Wormhole CCTP. Governance weaknesses, including reliance on a single-signature upgrade process, and ignoring earlier security warnings contributed to the breach. Nemo Protocol has paused core functions, patched the vulnerabilities, submitted an emergency audit, and is working on tracing funds and compensating users. The platform emphasizes yield tokenization and aims to improve DeFi interactions on Sui.