Nemo Protocol rolls out debt token plan for $2.6M hack victims

Sui-based yield trading platform Nemo Protocol has announced a debt token compensation program for users affected by a $2.59 million exploit on September 7. The repayment plan comes after the project’s team admitted an unaudited code change left its system vulnerable to attacks.

In a blog post published Sunday on Notion, Nemo revealed a three-step recovery plan based on the issuance of NEOM debt tokens. The program is meant to return value to victims over time through a dedicated redemption pool funded by recovered assets, liquidity loans, and investments.

Users will receive NEOM tokens pegged 1:1 to the value of their losses in USD terms, based on an onchain snapshot taken when the protocol was paused. 

“While we would have preferred to reimburse everyone directly in USD, we do not have sufficient funds or capital raised to do so, which is why we adopted the debt token strategy as the most viable path forward,” the yield trading protocol team wrote.

Nemo protocol issues three-step recovery path

The first phase of the recovery plan will see users reclaim the residual value left in compromised pools through a one-click function. The assets will be transferred into new, multi-audited smart contracts managed jointly by Nemo and its partners.

The second phase is the distribution of NEOM tokens, where, after completing the migration process, victims will simultaneously receive debt tokens equivalent to their losses. For example, a $1 loss translates to one NEOM token.

The last phase gives them choices of how to handle their NEOM. Those affected by the hack can immediately exit through automated market makers or hodl the tokens while awaiting recovery from frozen or reclaimed funds.

Nemo has also launched a dedicated portal to support affected users, a one-stop module with three main features, including eligibility and loss display. Once a user connects their wallet, the system automatically identifies positions on all affected pools and displays three figures: original asset value, residual value, and total loss.

Another is a one-click claim tool, where users can transfer all residual liquidity provider tokens and yield tokens into secure contract pools with a single confirmation.

Last but not least is the NEOM claim module, which shows the exact number of debt tokens allocated to each user based on their total loss and an option to “claim NEOM.”

Nemo exploiter took advantage of flawed smart contract

According to a post-mortem report from Nemo, a malicious actor used a flaw in Nemo’s smart contract design to execute the hack. Blockchain security company PeckShield reported that the attacker stole Circle’s USDC stablecoin, bridging the tokens from Arbitrum to Ether before dispersing them through several laundering addresses.

On the protocol’s smart contract lies a flaw lay function which helps the trading platform reduce slippage. The code, called “get_sy_amount_in_for_exact_py_out,” was added onchain in January without the necessary audit from smart contract firm Asymptotic. 

Even when an upgrade was installed in April to tighten deployment checks, the vulnerable code had already been embedded in production. The attacker initiated cross-chain transfers at 16:10 UTC on September 7 via Wormhole’s Circle cross-chain transfer protocol (CCTP). 

In total, $2.59 million of Nemo’s funds was rapidly siphoned using flash loans from pools including sUSDC, sbUSDT, and sSUI.

Asymptotic’s team identified the vulnerability in a preliminary report delivered to Nemo on August 11. However, the platform conceded that it failed to address the issue in time before attackers found the loophole. 

After releasing a full prognosis of the exploit, Nemo has been coordinating with blockchain security teams and centralized exchanges (CEXs) to freeze stolen assets. 

If you're reading this, you’re already ahead. Stay there with our newsletter.