The decentralized finance (DeFi) world has been hit by another big hack. Nemo, a new yield trading protocol built on the Sui blockchain, lost about $2.59 million after attackers found a weakness in its smart contracts. This weakness allowed them to drain liquidity directly from the protocol.

What makes this case different is that Nemo’s own auditor had already found the issue weeks earlier. In its report, the auditor warned that the code had a flaw, but the Nemo team did not fix it in time.

The team later admitted that they knew about the problem but decided to focus on other issues. This decision has raised serious questions about how much users can trust DeFi projects that advertise themselves as “audited.”

This hack is important because it shows a bigger problem in DeFi: security risks are often downplayed or ignored in the rush to launch new features. While audits are supposed to give investors confidence, they only work if project teams act on them.

Nemo’s mistake highlights the need for stronger security, better governance, and more responsibility in DeFi if the industry wants to win long-term trust from users and regulators.

Auditor Warning Ignored Before Nemo Exploit

According to the official post-mortem analysis published by the Nemo team, the root cause of the exploit was a flaw in the get_sy_amount_in_for_exact_py_out function.

This unaudited piece of code was pushed on-chain in January, well before the project’s security procedures were upgraded in April to include multisignature controls. The lack of proper controls allowed a single developer to deploy the vulnerable code without the oversight of the entire team.

The audit firm, Asymptotic, had identified the issue in a preliminary report on August 11, nearly a month before the hack. The report reportedly highlighted the risk, but the Nemo team “did not adequately address this security concern in a timely manner,” a crucial admission that lays bare a catastrophic failure of risk management. 

The attacker exploited the vulnerability, allowing them to manipulate the protocol’s state and drain approximately $2.59 million in assets. While the team has now paused core functions, is collaborating with security firms, and is developing a compensation plan, the damage to user trust is undeniable.

This incident echoes similar preventable hacks, such as the $730,000 exploit on NFT trading platform SuperRare in July, which was also linked to a basic, avoidable smart contract bug.

Related: RBI says crypto rules risk legitimizing sector

Lessons from a Bull Run and the Psychology of Risk

The Nemo Finance hack, and its preventable nature, must be viewed within the broader context of crypto market cycles. As we saw in previous bull markets such as the 2021 surge and the current cycle fueled by institutional interest, the velocity of development often outpaces the rigor of security.

Projects are under immense pressure to launch new features, attract liquidity, and compete for market share. This hyper-financialized environment can breed a culture where security is seen as a bottleneck rather than a prerequisite.

This behavioral pattern is not new. In the run-up to the 2021 market peak, countless projects with minimal audits or rushed deployments fell victim to exploits. The Cream Finance flash loan attacks in 2021, which resulted in over $130 million in losses, were a direct consequence of a similar deploy first, secure later mentality.

The Nemo case, however, introduces a more insidious element: a team that was explicitly warned of a critical vulnerability but chose to prioritize other issues over a known, existential threat.

This speaks to a deep-seated issue of market psychology. During periods of euphoria, investor appetite for risk is at its highest, and due diligence is often the first casualty. The allure of high yields and novel DeFi products can blind both retail investors and project teams to fundamental security risks.

A report by blockchain analytics firm Immunebytes found that many of the largest crypto hacks in 2024 were rooted in simple access control vulnerabilities and unvalidated call data.

Related: Trump Family’s Net Worth Surges $1.3B Amid ABTC Debut and WLFI Rally