Incident Overview
On May 2025, Nemo Protocol on Sui blockchain suffered an exploit resulting in approximately $150,000 in losses. This analysis examines the vulnerability and attack vector used.
Attack Vector
The attacker exploited a vulnerability in the protocol's yield calculation mechanism, allowing them to artificially inflate their share of the liquidity pool.
The vulnerability existed due to improper validation of user inputs in the deposit function, combined with a flawed share calculation algorithm.
Timeline
- T+0: Attacker deploys malicious contract
- T+2min: First exploit transaction executed
- T+5min: Multiple drain transactions completed
- T+15min: Protocol team notified
- T+30min: Protocol paused
Input Validation
Always validate user inputs thoroughly
Share Calculations
Use battle-tested math libraries
Monitoring
Real-time monitoring could have reduced losses