Nemo Protocol suffers $2.59M exploit after unaddressed audit warning

Nemo Protocol lost approximately $2.59 million in an exploit that took advantage of a vulnerability flagged weeks earlier by auditors. The team has acknowledged it failed to act on the warning promptly, and has since paused core protocol functions to prevent further losses. A technical fix and user compensation plan are now underway.

Timeline and detection

Auditing firm Asymptotic identified a critical issue (labeled C-2) on August 11th related to the pyindexstored index—a flaw that impacted interest and conversion calculations. Despite the warning, the vulnerability remained unpatched. The exploit occurred on September 7th around 16:00 UTC, with attackers quickly bridging stolen funds to Ethereum via Wormhole’s CCTP bridge.

Exploit method and vectors

The attackers used flash loans combined with a vulnerable function, getsyamountinforexactpy_out, which bypassed safety checks. This allowed them to manipulate the flawed index logic, drain pools, and withdraw illicit gains. The incident highlights how unaddressed bugs in composable DeFi systems can be exploited at scale.

Impact and community reaction

The attack resulted in $2.59 million in losses and triggered a sharp decline in Total Value Locked (TVL) from $6.3 million to $1.63 million. The community expressed frustration over the delayed response and called for greater transparency, improved accountability, and more rigorous audit follow-ups.

Response, recovery plan and mitigation

Nemo has taken several steps in response:

• Paused vulnerable operations

• Deployed a patch removing the flash loan exploit vector

• Engaged Asymptotic to re-audit the fix

• Shared attacker addresses with exchanges and blockchain tracing firms

• Begun designing a compensation plan for affected users

The team has publicly acknowledged its failure to prioritize the audit warning—a misstep that underscores the need for stronger security practices and faster response protocols in DeFi.