The SUEMO -based performance trade protocol lost around $ 2.59 million due to a known vulnerability introduced by the non -audited code that is implemented, according to the project.
According to Post Mortem analysis of Nemo of Hack of September 7, a failure in a function aimed at reducing the sliding allowed the attacker to change the state of the protocol. This function, called “get_sy_amount_in_For_exact_py_out”, was pressured in the chain without being audited by an asymptotic intelligent contract auditor.
In addition, the asymptotic team identified the problem in a preliminary report. Even so, Nemo’s team admits that its “team did not adequately address this security concern in a timely manner.”
The implementation of a new code only required a single direction signature, which allows the developer to press the non -audited code in the chain without revealing the changes. In addition, he did not use the confirmation hash provided in the audit for implementation, breaking the procedure.
This is not the first time it is revealed that a trick had been easily prevented. The report follows the NFT Superrare trade platform that suffers an exploit of $ 730,000 at the end of July due to a basic intelligent contract error that, according to experts, could have easily avoided with standard test practices.
Related: Bublemaps alleges a greater attack by Sybil in the history of cryptography in Myx Airdrop
Security procedures changed too late
The vulnerable code was pushed to the chain in early January. The update procedure, which would probably have prevented the non -audited code from deploying in Ochain, was implemented in April.
Despite the update, vulnerability had already reached the production environment. Asymptotic warned Nemo about vulnerability on August 11, but the project said it focused on other problems and could not address it before exploit.
Related: Falling NPM Exploitation highlights the imminent threat to cryptographic security: Executive
Nemo pauses the protocol, prepares the patch
According to the analysis, the central functions of the Nemo protocol now stop to avoid further losses. The team is collaborating with multiple security equipment and provides all relevant addresses to help freeze assets in centralized exchanges.
A patch has been developed, and asymptotic is to audit the new code. The project said it eliminated its Flash loan function, corrected the vulnerable code and added a manual reset function to restore the affected values. Nemo is also designing a compensation plan for users, including debt structuring at the tokenomic level.
“The central team is formulating a detailed user compensation plan, including a debt structure design at the tokenomic level.”
Nemo apologized to its users and claims to have learned that “safety and risk management demand constant surveillance.” The team also promised to improve its defenses and apply a stricter protocol control.
Magazine: North Korea Crypto Hackers Tap Chatgpt, Malasia Road Money Syphoned: Asia Express
