The Community Fund is pleased to begin it’s consideration for the community granting process for a Dedaub & Nexus Mutual Collaboration.
We maintain a static analysis infrastructure, demonstrated at contract-library.com, and deployed over all contracts on the blockchain. We decompile deployed contracts and run sophisticated program analysis queries, mainly for security vulnerabilities. In the past months, these analysis reports have led to numerous vulnerability disclosures, several bug bounties (from DeFi Saver, Dinngo/Furucombo, Primitive Finance, Vesper Finance, BT Finance, indirectly from Armor.fi), 6 mentions in “Week of Ethereum News”, and more. Using this technology we have conducted two separate studies for the Ethereum Foundation on the impact of EIP-1884 and EIP-3074 over all deployed contracts.
We can detect all contracts that are part of each covered protocol and group them automatically (under human supervision). Subsequently, we can analyze the contracts and display warnings of vulnerabilities (or proto-vulnerabilities, i.e., components that when put together can make a service vulnerable). The static warnings will be combined with queries on environmental conditions (e.g., approvals and balances in past transactions, state of initialization of a contract, storage contents) to produce reports that can point to security issues. We will also maintain a contact database for each covered protocol. If a vulnerability is detected in a live system, we will contact the appropriate project team.
Below is a list of tasks involved in this project. For all tasks, we believe that our technology offers a competitive advantage.
- Identify all deployed contracts that constitute a service covered by Nexus Mutual, while new contracts are being added. This will be done in two ways:
Starting from a known set of contracts for the service, we will
a) find newly added contracts using source-code queries for specific code patterns;
b) monitor blockchain storage fields that link to other contracts of the service, so that a newly-linked contract will be added to our monitor list.
- Run automated security analyses over all identified contracts. The analyses will combine static (i.e., code) and dynamic (i.e., blockchain state) queries. Some examples of promising analyses include:
- potential for Uniswap/Balancer price manipulation
- interaction with untrusted tokens
- “unchecked sender” in flash loans
- contracts not properly initialized
- inconsistent scaling factors (i.e., powers of 10) for monetary amounts
- ECDSA signing that is not unique per signed message
- conventional errors: arithmetic overflow, reentrancy.
Any new security analyses added to our repertoire over the duration of service, will be seamlessly re-run on the identified contracts.
- Monitor the results of the above automated analyses and classify them by severity. Escalate as appropriate. Maintain a list of contact points for covered projects and communicate with them in case of a discovered vulnerability.
The three tasks above involve different levels of human effort vs. leveraging Dedaub’s technology. We budget the overall project cost at a baseline of $20K/mo (in NXM), subject to scaling parameters, based on the following breakdown.
For task (1), the level of human effort is moderate and scales with the number of monitored protocols. For 10-20 protocols, a small effort (in the order of a couple of person-weeks) is required for bootstrapping and subsequently under one person-day per week is needed for follow-up monitoring to ensure that the classification is correct and complete.
For task (2), the level of human effort is low (just hours per week), consisting only of maintenance of an automated system. There are also (secondary) infrastructure costs for setting up and maintaining a dedicated instance of our analysis service. This effort remains (virtually) unchanged for more protocols.
For task (3), the level of human effort is high and scales with the number of monitored protocols. For 10-20 protocols, an average of two person-days per week are required for ranking warnings, inspecting state and code, determining if any warnings should be pursued further, and pursuing them.
The budgeting anticipates bonus NXM to be paid if a vulnerability is detected that would have led to a claim payout.
All proposals will be considered based on their potential impact on the mutual.
- Awareness/education Projects that seek to grow awareness of Nexus in the wider community and to help members understand how the mutual works. Examples could include writing docs, newsletters, producing videos, memes, NFTs.
- Distribution/sales Projects that focus on b2b partnerships or increase distribution of cover at the source of the primary purchase (ie, on DeFi apps). Examples could include building a distributor on top of Nexus, integrations with other projects, or designing new products.
- Technical improvements/capability Projects that seek to expand functionality of the mutual or development of new products. Examples could include contributing to open source code, designing user interfaces, building a reinsurance layer or constructing bundled yield bearing and protected products
Once a proposal has been up for discussion on here for 7 days it will be closed and we will then translate it to the snapshot for voting. After the snapshot has concluded and if it has produced a favorable outcome, we will distribute the funds.
Details about the Community Fund can be found on this page of our Docs