35 The decentralized finance (DeFi) sector has been rattled once again, this time by a $2.59 million exploit targeting Nemo, a yield trading protocol built on the Sui blockchain. Attackers were able to manipulate the platform’s smart contracts, draining liquidity in a matter of moments. What sets this incident apart is that the vulnerability wasn’t unknown — it had already been flagged by Nemo’s own auditor weeks before the breach. According to the project’s post-mortem, the exploited function, designed to minimize slippage, was deployed onchain without undergoing a final audit. Despite Asymptotic, Nemo’s smart contract auditor, highlighting the weakness in a preliminary report, the team failed to resolve the issue in time. Instead, the unaudited code was pushed live by a single developer signature, sidestepping both disclosure requirements and the recommended deployment procedure. In hindsight, Nemo admitted that its team had deprioritized the fix, focusing instead on other development tasks. That decision has fueled sharp criticism of the project’s governance practices and the wider culture in DeFi, where security concerns are often sidelined in the race to innovate. The fact that such a costly exploit stemmed from an issue that was both identified and documented underscores the fragile trust between projects and their users. The incident mirrors a troubling pattern in DeFi, where preventable hacks continue to surface despite the presence of audits and best practices. As with other recent cases, Nemo’s exploit highlights the urgent need for stronger security enforcement, stricter deployment controls, and more accountability if the industry hopes to maintain credibility with both investors and regulators. Auditor Warning Ignored Before Nemo Exploit According to the official post-mortem analysis published by the Nemo team, the root cause of the exploit was a flaw in the get_sy_amount_in_for_exact_py_out function. This unaudited piece of code was pushed on-chain in January, well before the project’s security procedures were upgraded in April to include multisignature controls. The lack of proper controls allowed a single developer to deploy the vulnerable code without the oversight of the entire team. The audit firm, Asymptotic, had identified the issue in a preliminary report on August 11, nearly a month before the hack. The report reportedly highlighted the risk, but the Nemo team “did not adequately address this security concern in a timely manner,” a crucial admission that lays bare a catastrophic failure of risk management. The attacker exploited the vulnerability, allowing them to manipulate the protocol’s state and drain approximately $2.59 million in assets. While the team has now paused core functions, is collaborating with security firms, and is developing a compensation plan, the damage to user trust is undeniable. This incident echoes similar preventable hacks, such as the $730,000 exploit on NFT trading platform SuperRare in July, which was also linked to a basic, avoidable smart contract bug. Related: RBI says crypto rules risk legitimizing sector Lessons from a Bull Run and the Psychology of Risk The Nemo Finance hack, and its preventable nature, must be viewed within the broader context of crypto market cycles. As we saw in previous bull markets such as the 2021 surge and the current cycle fueled by institutional interest, the velocity of development often outpaces the rigor of security. Projects are under immense pressure to launch new features, attract liquidity, and compete for market share. This hyper-financialized environment can breed a culture where security is seen as a bottleneck rather than a prerequisite. This behavioral pattern is not new. In the run-up to the 2021 market peak, countless projects with minimal audits or rushed deployments fell victim to exploits. The Cream Finance flash loan attacks in 2021, which resulted in over $130 million in losses, were a direct consequence of a similar deploy first, secure later mentality. The Nemo case, however, introduces a more insidious element: a team that was explicitly warned of a critical vulnerability but chose to prioritize other issues over a known, existential threat. This speaks to a deep-seated issue of market psychology. During periods of euphoria, investor appetite for risk is at its highest, and due diligence is often the first casualty. The allure of high yields and novel DeFi products can blind both retail investors and project teams to fundamental security risks. A report by blockchain analytics firm Immunebytes found that many of the largest crypto hacks in 2024 were rooted in simple access control vulnerabilities and unvalidated call data. Related: Trump Family’s Net Worth Surges $1.3B Amid ABTC Debut and WLFI Rally