According to the project team, the yield trading protocol Nemo based on Sui suffered a loss of approximately $2.59 million due to a known vulnerability, which stemmed from the deployment of unaudited code.
According to Nemo's post-incident analysis of the hacking event on September 7, a function designed to reduce slippage had a flaw that allowed attackers to alter the protocol's state. This function, named “getsyamountinforexactpy_out,” was deployed on-chain without being audited by the smart contract auditing firm Asymptotic.
Additionally, the Asymptotic team had identified the issue in their preliminary report, but the Nemo team admitted to "failing to adequately address this security risk in a timely manner."
When deploying new code, only a single address signature is required. Developers can deploy unaudited code without disclosing the changes made. Furthermore, they did not use the confirmation hash provided in the audit during deployment, violating established procedures.
This is not the first time a hack that could have been easily prevented has occurred. Previously, the NFT trading platform SuperRare suffered a $730,000 attack at the end of July due to a vulnerability in its underlying smart contracts, with experts stating that standard testing procedures could have easily avoided the flaw.
The vulnerable code was deployed in early January. It wasn't until April that the team introduced an upgrade process to prevent the deployment of unaudited code.
Despite the upgraded process, the vulnerability had already entered the production environment. Asymptotic had warned Nemo about the vulnerability on August 11, but the project team stated that they were focused on other issues at the time and failed to resolve it before the attack occurred.
Analysis shows that the core functionality of the Nemo protocol has now been suspended to prevent further losses. The team is collaborating with multiple security teams and providing all relevant addresses to assist centralized exchanges in freezing assets.
The team has developed a patch, and Asymptotic is auditing the new code. The project team stated that they have removed the flash loan feature, fixed the vulnerable code, and added a manual reset function to restore affected values. Nemo is also designing a user compensation plan, including a debt structure design at the token economic level.
Nemo has apologized to users and stated that they have recognized that "security and risk management require continuous vigilance." The team is committed to enhancing their defenses and implementing stricter protocol controls.
Related: Ethena exits Hyperliquid USDH stablecoin bidding, clearing the way for Native Markets
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
