Sui-based DeFi protocol Nemo Protocol lost approximately $2.59 million in an exploit targeting new feature vulnerabilities, raising concerns about DeFi security and the Sui ecosystem.

Executive Summary

Sui-based decentralized finance (DeFi) protocol Nemo Protocol experienced an exploit that resulted in the loss of approximately $2.59 million in assets. The incident, attributed to security vulnerabilities within newly launched features, led to the transfer of stolen funds to the Ethereum blockchain, raising immediate concerns regarding DeFi security practices on the Sui network.

The Incident Details

On September 8, 2025, Nemo Protocol, a DeFi platform operating on the Sui blockchain, reported a significant security breach. Attackers exploited vulnerabilities identified in the protocol's flash_loan and get_sy_amount_in_for_exact_py_out functions, leading to the unauthorized withdrawal of approximately $2.59 million in assets, primarily USDC. Following the exploit, the stolen funds were reportedly bridged from Sui to Arbitrum and subsequently to Ethereum using Circle's infrastructure. Nemo Protocol has since frozen core functions, submitted a patch for emergency audit, and initiated plans for user compensation and asset tracking.

The incident has been attributed to developers deploying new features without sufficient auditing and failing to address known risks. This event follows a similar major exploit on the Sui ecosystem in May 2025, where Cetus Protocol, another DeFi project, incurred a $223 million loss due to a vulnerability in its oracle system.

Financial Impact and Exploit Mechanics

The $2.59 million loss suffered by Nemo Protocol underscores the persistent financial risks within the DeFi sector. The exploit's mechanism involved manipulating specific smart contract functions, a common vector for attacks in decentralized applications. This incident contributes to a broader trend of significant financial losses in the crypto space, with total crypto losses in the first half of 2025 exceeding $3.1 billion, surpassing the $2.85 billion total for all of 2024. Smart-contract vulnerabilities accounted for approximately 8% of these losses, totaling $263 million.

Strategic Context and Ecosystem Vulnerabilities

The repeated occurrences of major exploits, particularly the Nemo Protocol and Cetus Protocol incidents on the Sui blockchain, have prompted scrutiny of the maturity of DeFi security practices and the adequacy of safeguards within the Sui ecosystem. The lack of detailed public statements or remediation plans from Nemo Protocol or the Sui Foundation post-breach has exacerbated user anxiety regarding potential reimbursements and the overall security posture of the network. This situation highlights the critical need for rigorous audits and robust risk management before deploying new DeFi functionalities, especially on emerging blockchains.

Broader Market Repercussions

This exploit has intensified bearish sentiment for the affected protocol and potentially for the broader Sui ecosystem. It is anticipated to lead to increased caution among DeFi users, particularly concerning the adoption of new features. Industry observers note that while DeFi offers substantial opportunities, the sector remains highly susceptible to sophisticated exploits. Incidents like the Nemo Protocol hack emphasize the urgent demand for enhanced security measures, improved risk management frameworks, and greater transparency from protocol teams to maintain investor and user trust across the Web3 landscape. The event also underscores the potential for short-term price volatility for associated tokens and could contribute to heightened calls for regulatory scrutiny in the DeFi space.