Nemo to compensate users with debt tokens after $2.6M hack
Nemo Protocol launched a compensation plan involving debt tokens after attackers exploited $2.4 million from the platform on September 7, 2025, due to unaudited code deployed without proper oversight.
The exploit targeted two smart-contract vulnerabilities on the Sui blockchain platform. Attackers used an exposed flash loan function and a mismanaged query function that allowed unauthorized state changes. The stolen assets were bridged to Ethereum via Wormhole.
A developer had merged unaudited code that introduced the flash loan function as public rather than restricted. The same code contained a flawed query function that enabled the exploit. Nemo's governance system allowed single-signature upgrades, bypassing audit review requirements.
The protocol's total value locked dropped from over $6 million to approximately $1.5 million following the hack. Nemo has paused core functions, removed the flash loan feature, patched the query vulnerability, and begun emergency audits.
A developer had merged unaudited code that introduced the flash loan function as public rather than restricted. The same code contained a flawed query function that enabled the exploit. Nemo's governance system allowed single-signature upgrades, bypassing audit review requirements.
The protocol's total value locked dropped from over $6 million to approximately $1.5 million following the hack. Nemo has paused core functions, removed the flash loan feature, patched the query vulnerability, and begun emergency audits.
The debt-token program aims to allow affected users to recover value over time through tokenized obligations issued by Nemo. The platform indicated these tokens will be integrated into its economic structure, though specific details were not provided.
Security firm Asymptotic had issued warnings about potential vulnerabilities in August, but the protocol did not address these concerns before the exploit occurred. Nemo had undergone previous audits, but the vulnerable code was deployed after these security reviews.
The incident occurred despite standard DeFi security practices. The protocol's governance structure allowed a single address to push code updates without requiring additional audit oversight or multi-signature approval.
Nemo operates as a yield-trading platform on Sui, allowing users to trade future yield positions. The platform had attracted over $6 million in deposits before the exploit.
The exploit represents one of several DeFi incidents in 2025 involving flash loan vulnerabilities and governance oversight gaps. Cross-chain bridging of stolen assets complicates recovery efforts for affected protocols.
Security firm Asymptotic had issued warnings about potential vulnerabilities in August, but the protocol did not address these concerns before the exploit occurred. Nemo had undergone previous audits, but the vulnerable code was deployed after these security reviews.
The incident occurred despite standard DeFi security practices. The protocol's governance structure allowed a single address to push code updates without requiring additional audit oversight or multi-signature approval.
Nemo operates as a yield-trading platform on Sui, allowing users to trade future yield positions. The platform had attracted over $6 million in deposits before the exploit.
The exploit represents one of several DeFi incidents in 2025 involving flash loan vulnerabilities and governance oversight gaps. Cross-chain bridging of stolen assets complicates recovery efforts for affected protocols.
Author
Sebile Fane cut her teeth in blockchain by building tiny NFT experiments with friends in her living room, long before the buzzwords took hold. She’s driven by a curiosity for the human stories behind smart contracts — whether it’s a small-town artist minting her first token or a DAO voting on climate grants — and weaves technical insight with genuine empathy.
Recommended