Nemo contract security vulnerability leads to $2.59 million theft, raising alarms about asset security on the Sui chain

Event Overview:

On September 7, 2025, Beijing time, Nemo on the Sui chain was attacked, with hackers exploiting py_index to steal approximately $2.59 million.

Attacker Address:

0x01229b3cc8469779d42d59cfc18141e4b13566b581787bf16eb5d61058c1c724

Attack Transaction:

https://suivision.xyz/txblock/HMMicxQWn43rnNswi4gNHanUaeiWW5ijqM5bHLca67D9?tab=Overview

Nemo Package:

0x0f286ad004ea93ea6ad3a953b5d4f3c7306378b0dcc354c3f4ebb1d506d3b47f

Root Cause:

The root cause of the theft of Nemo was that PyState was incorrectly set as a mutable reference, allowing the attacker to maliciously modify pyindex, resulting in a large amount of PT and YT being obtained by multiplying pyindex with the separated SY parameter when calling the mint_py function.

In-depth analysis revealed that the function py.getsyamountinforexactpyout allowed an unconstrained number to be passed in to modify the pyindex field of pyState when calling py.currentpyindex.

· py.getsyamountinforexactpy_out calculates the amount of SY input required for the PY output, but here the index has no restrictions.

· py.currentpyindex compares the passed-in pyindex with the stored index and returns the maximum as the latest value of pystate.pyindexstored.

Attack Process Analysis

1. The attacker calls the initpyposition function to initialize a py_position (initializing the user's position record, unrelated to this attack).

2. Then, they use a flash loan with py.borrowptamount to borrow a large amount of PT tokens (which will later be swapped for SY balance).

3. They call market.swapexactptforsy 100 times to exchange PT for SY tokens.

4. By using py.getsyamountinforexactpyout, the attacker calculates the amount of SY input required for the PY output, passing in a constructed extremely large number 553402322211286548480000 for pyindex, disrupting the original structure.

5. The attacker then uses the abnormally inflated index when calling yieldfactory.mintpy to mint PT and YT at an exorbitantly high discount rate, thereby extracting a large amount of PT.

MintEvent as follows:

6. Finally, the attacker uses the minted PT to repay the debt via py.repayptamount, then redeems the yield-bearing assets and withdraws the tokens in Scallop.

Thus, the attacker stole approximately $2.59 million by manipulating py_index, subsequently converting the assets to USDC and transferring them across chains via Bridge, ultimately converting them to ETH and DAI stored at 0x41b1906c4BCded607c6b02861cE15C2E49FF7576.

After the attack, the Nemo team urgently suspended the smart contract functions and began investigating the attack incident. The investigation revealed that the loss of $2.59 million in assets stemmed from launching new features without adequate auditing.

Event Summary:

The core of this attack lies in the incorrect setting of sensitive data as writable, allowing the attacker to freely pass in parameters and make modifications. Strict restrictions and checks should be implemented for the state of sensitive data.