The Sui-based protocol Nemo lost approximately $2.59 million due to a vulnerability associated with unaudited code, following an incident on September 7.
Incident Description
According to the post-mortem analysis of the incident, a flaw in a function designed to reduce slippage allowed an attacker to change the state of the protocol. This function, named 'get_sy_amount_in_for_exact_py_out,' was pushed on-chain without prior auditing by Asymptotic.
Changes in Security Procedures
Asymptotic identified the issue in a preliminary report. However, the Nemo team admitted that they did not adequately address this security concern in a timely manner. The incident occurred after the vulnerable code was deployed in January, whereas the upgrade procedures to rectify such issues were implemented only in April.
Actions Taken by Nemo Team Post-Incident
Following the incident, Nemo's core functions were paused to prevent further losses. The team is collaborating with multiple security teams and providing all relevant addresses to assist in freezing assets on centralized exchanges. A patch has been developed, and Asymptotic is auditing the new code. Nemo is also formulating a compensation plan for users.
The incident involving the Nemo protocol highlights the importance of regular code audits and constant vigilance in security within the crypto industry. The project team has expressed intentions to enhance its defenses and implement stricter protocol controls.
