A significant cyberattack has hit Nemo Protocol, a decentralized finance (DeFi) yield platform built on the Sui blockchain, resulting in a staggering loss of approximately $2.4 million. The breach occurred just before the platform’s scheduled maintenance over the weekend, prompting immediate investigations and actions.
The security breach was first detected by PeckShieldAlert, which revealed on September 8 that around $2.4 million in USDC had been siphoned from Nemo’s systems. The investigation conducted by the blockchain security firm showed that the hacker quickly transferred the stolen assets from Circle, using a bridge to move USDC from Arbitrum to Ethereum.
In response to the attack, Nemo released a statement acknowledging the breach, specifically indicating that its Market pool had been impacted. The team emphasized their commitment to resolving the issue, stating they were actively investigating the cause of the vulnerability while suspending all smart contract activity to prevent further losses. They reassured users that all Vault assets remained secure during this time.
The repercussions of the incident were immediate and severe. Data from DeFiLlama revealed that Nemo’s total value locked (TVL) plummeted from over $6.3 million to approximately $1.57 million in the wake of the attack. Fearing potential further exploits, users rushed to withdraw their investments, resulting in over $3.8 million worth of USDC and SUI tokens being pulled from the platform.
Targeting Nemo’s yield-trading mechanism, the breach exploited vulnerabilities that allow users to split staked assets into Principal Tokens (PTs) and Yield Tokens (YTs) for speculation. Security research from CertiK highlighted that risks in DeFi protocols can stem from various sources, including coding errors, blockchain vulnerabilities, and limitations inherent to programming languages.
The incident marks the third significant hack affecting DeFi protocols within September alone. Earlier in the month, Venus Protocol was targeted, leading to a $13.5 million loss, while the Bunni protocol faced an $8.4 million theft. The frequency and scale of these attacks remain troubling, particularly given a previous exploit affecting the Sui ecosystem. Earlier this year, Cetus Protocol fell victim to a $223 million breach due to flaws in third-party code.
Declining security has been a worry for the blockchain sector in 2025. According to a mid-year analysis by SlowMist, the industry faced losses exceeding $2.37 billion across 121 security incidents in the first half of the year, with DeFi protocols accounting for 76% of these cases. While centralized exchanges recorded higher individual losses, the vulnerabilities in DeFi smart contracts were particularly alarming.
A recent assessment from Hacken reported that total crypto industry losses surpassed $3.1 billion during the same period. The study indicated that access control vulnerabilities, including misconfigured wallets and compromised legacy keys, accounted for 59% of these losses. DeFi-specific smart contract exploits were noted to cause approximately $263 million, about 8% of the total.
Mitchell Amador, CEO of Immunefi, emphasized in an interview the shortcomings of traditional security measures in the rapidly evolving Web3 environment. He pointed out that standard audits often fail to detect vulnerabilities that arise post-launch in dynamic DeFi settings. To combat this, he advocated for the implementation of bug bounty programs, which would incentivize ethical hackers and fundamentally alter the economics of cybersecurity to favor defensive measures over offensive exploits.
