The Sui-based yield trading protocol Nemo suffered a $2.59 million exploit on September 7, 2025, due to critical vulnerabilities in unaudited code that was deployed without proper security checks. According to the project's post-mortem analysis, the attack exploited a flaw in a function named "get_sy_amount_in_for_exact_py_out" which was intended to reduce slippage but instead allowed the attacker to manipulate the protocol's state.
The vulnerabilities were introduced in early January 2025 when a developer deployed new code without following proper auditing procedures. The protocol's governance structure at the time required only a single signature for deployments, enabling the unaudited code to reach production. Although blockchain security firm Asymptotic had identified the issue in a preliminary report and issued a specific warning on August 11, the Nemo team admitted they "did not adequately address this security concern in a timely manner" as they were focused on other issues.
The attacker combined two vulnerabilities: an accidentally exposed internal flash loan function and a flawed query function that enabled unauthorized state changes. This allowed the draining of assets from the SY/PT liquidity pool, with stolen funds subsequently bridged from Sui to Ethereum via Wormhole's CCTP bridge.
In response, Nemo has paused its core functions, developed a patch that has been submitted for emergency audit, removed the flash loan function, fixed the vulnerable code, and added manual-reset features. The team is collaborating with security firms to trace funds and is designing a compensation plan for affected users that includes debt structuring at the tokenomics level.