Sui-based yield trading protocol Nemo lost about $2.59 million due to a known vulnerability introduced by non-audited code being deployed, according to the project.
According to Nemo’s post-mortem analysis of the Sept. 7 hack, a flaw in a function intended to reduce slippage allowed the attacker to change the state of the protocol. This function, named “get_sy_amount_in_for_exact_py_out,” was pushed onchain without being audited by smart contract auditor Asymptotic.
Furthermore, Asymptotic’s team identified the issue in a preliminary report. Still, the Nemo team admits that its “team did not adequately address this security concern in a timely manner.”
Deploying new code only required a signature from a single address, allowing the developer to push unaudited code onchain without disclosing the changes. Furthermore, he did not use the confirmation hash provided in the audit for the deployment, breaking the procedure.
This is not the first time a hack was revealed to have been easily preventable. The report follows NFT trading platform SuperRare suffering a $730,000 exploit in late July due to a basic smart contract bug that experts say could have easily been prevented with standard testing practices.
Related: Bubblemaps alleges largest Sybil attack in crypto history on MYX airdrop
Security procedures changed too late
The vulnerable code was pushed onchain in early January. The upgrade procedure, which would likely have prevented the unaudited code from being deployed onchain, was implemented in April.
Despite the upgrade, the vulnerability had already made its way into the production environment. Asymptotic warned Nemo of the vulnerability on Aug. 11, but the project said it was focused on other issues and failed to address it before the exploit.
Related: Failed NPM exploit highlights looming threat to crypto security: Exec
Nemo pauses protocol, prepares patch
According to the analysis, Nemo’s protocol core functions are now paused to prevent further losses. The team is collaborating with multiple security teams and providing all relevant addresses to assist in freezing assets on centralized exchanges.
A patch has now been developed, and Asymptotic is auditing the new code. The project said it removed its flash loan function, fixed the vulnerable code and added a manual-reset feature to restore affected values. Nemo is also designing a compensation plan for users, including debt structuring at the tokenomics level.
“The core team is formulating a detailed user compensation plan, including a debt-structuring design at the tokenomics level.“
Nemo apologized to its users and claims to have learned that “security and risk management demand constant vigilance.” The team also promised to improve its defences and apply stricter protocol control.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express