Claim 21 | Cover ID 1335 | Pocket Universe (OpenCover Transaction Cover)

• Claim Request: 5027.91 USDC
• Total Cover Amount: 250000.23 USDC
• Cover Period: 25 September 2024 to 25 October 2024
• Date of Loss: 4 October 2024

Overview

On 11 October 2024, a claim was filed for the Pocket Universe listing under the OpenCover Transaction Cover product type.

• OpenCover Transaction Cover wording
• Pocket Universe Annex document

In the incident details for this claim, the claimant (OpenCover) noted the OpenCover Transaction wording and cited “3b” of the cover wording. However, claim assessors should refer to the Pocket Universe Annex, where “3b” refers to “Malicious Sending of Funds”.

Incident Details

The following details were provided in the claim submission, which can be reviewed in the Nexus Mutual UI: Nexus Mutual

Claim-related files: Claim documents – Google Drive

A transaction for ~2.08 ETH was covered on 2024-10-04 at 11:31:28 UTC by OpenCover (see opencover-log and opencover-signature-verification with OpenCover signing key: 0x903B1AB4de03b50b55bb78a55A612921B54F39D0 and message: 0x402741cd3083b4d1131d0e9f408489d6c6d6b86ddd0516ce4a83cf137024e2af — the policy ID).

The transaction was made on the Lido frontend and was not detected as malicious by Pocket Universe (see both in pu-log) however end-user funds were lost once the transaction settled onchain (https://etherscan.io/tx/0x1b84e51a0b3f682ce7636170f9a18fcb3cc532661c1ce65f9733e2b5ce74a29f).

After investigation, it appears the attack involved replacing a Lido staking transaction with a transfer to a scam EOA (see user-malicious-tx-screenshot which was taken after the incident while replaying actions leading to the loss on the victim’s machine and https://metasleuth.io/result/eth/0x20Cc67d8327EaC4aD2E43Cb05A05171599Ab6dEb for scam EOA inbound transfers including the one related to this claim).

After multiple due diligence checks, including the victim’s identity, our conclusion is that this is a genuine attack most likely due to a malicious extension changing the transaction intent (see user-malwarebytes-scan showing malware on victim’s machine that could deploy a malicious extension).

We thus believe this is a valid claim under Covered Event 3b of the Transaction Cover Terms & Conditions (https://api.nexusmutual.io/ipfs/QmWRir4JSeSv3oKbHyDRz1xFKXh1d8wgew5Rr4koCMeYYu)

(Loss/Claim value in USDC was computed as Etherscan’s Estimated Value on Day of Txn assuming a 1:1 USD:USDC exchange rate, see etherscan-tx)

Assessment

Members who stake NXM and act as claim assessors can discuss the claim submission in this thread.

Learn more about Claim Assessment in the Nexus Mutual documentation.

Just a note for any claim assessors voting on this claim

There is a bug with one of the Assessment Criteria questions. If you answer “No” to the question “Did the loss occur due to any of the items listed under Clause 5 (Exclusions)?”, the result defaults to Deny.

However, this shouldn’t be the case. The Nexus Mutual frontend team will correct this bug on Monday (14 October).

During my personal assessment, I found no evidence that this loss event occurred due to any of the excluded conditions. According to my own assessment, I have voted to accept this claim, which means I have answered “Yes” to the above question so my claim decision results in “Accept”.

As an update, this claim has been approved and the claim payment has been withdrawn.

You can find a summary of this claim event in the Claims Database on the Nexus Mutual DAO website, as well as in the Nexus Mutual UI.