Nemo Protocol, a Sui-based yield-trading platform, has recently fallen prey to a significant exploit. The platform has now declared a compensation strategy aimed at issuing debt tokens, dubbed NEOM, to users affected by the incident. Importantly, the quantum of the NEOM tokens issued will be equivalent to the users’ losses, calculated in terms of US dollars.
Ideation Behind the Initiative
Nemo stated that the shift towards the debt token approach comes as it lacks sufficient funds to reimburse all affected parties directly in USD. While the concept of directly reimbursing users would have been ideal, the current financial state of Nemo doesn’t permit it. Therefore, as a robust alternative, Nemo is proceeding with a strategy involving debt tokens.
Details about the Attack
The first revelation of the exploit, which resulted in a drain of $2.6 million from Nemo’s market pool, came from PeckShield, an on-chain security company. The exploit was linked to vulnerabilities in the platform’s code, introduced by a developer. It is noteworthy that the code was pushed into production without proper audits, a mistake that led to disastrous consequences.
Restitution and Recovery Plan
In line with making all affected users whole again, Nemo intends to compensate for the principal losses. The computation of these losses will be based on an on-chain snapshot taken when the protocol was paused post the security incident. The recovery plan is a three-step approach involving:
- Migration of residual values from compromised pools to audited, multi-party managed contracts via a dedicated portal
- I ssuing NEOM tokens equivalent to calculated losses during the migration
- A fter the migration, holders have two options: either exit via an automated market maker pool or retain their tokens and wait for the recovery of funds.
Nemo has also revealed plans about initializing a liquidity pool on a major Sui decentralized exchange, which will pair the NEOM tokens with a stablecoin, USDC. The primary intention here is to enable immediate exits and alleviate concerns of the user base.
Efforts Towards Full Compensation
Nemo’s compensation scheme comprises a full deposit of any recovered exploit funds into a redemption pool managed by multiple parties. All NEOM holders can file proportionate claims against this pool. Furthermore, Nemo has announced that strategic investments or external liquidity loans may be allocated into the redemption pool to provide liquidity support.
Transparency and Accountability
Pledging complete transparency, Nemo will set up a dedicated website to trace the progress of NEOM burns. It will keep its community members informed about any updates on the initiative in real-time. The move comes as a critical step towards accountability and trust-building.
Post-Mortem Analysis
In a post-incident analysis, Nemo revealed that the stolen funds were moved from the Sui platform to Ethereum using Wormhole CCTP – a cross-chain communication protocol. In response to this security breach, Nemo is now working with in-house security teams on the Sui platform to trace the funds.
Apart from this, Nemo is also working on setting up a White-Hat Agreement Framework and a Hacker Bounty, marking a robust step towards precluding similar incidents in the future.
Conclusion
While the recent exploit left a significant impact on Nemo Protocol and its users, strong corrective measures have been put in place. The multi-step recovery plan and transparency initiatives signal a promising comeback.
