Thanks @BraveNewDeFi for bringing this up and the analysis.
I’d just like to make one point on the cost savings. We can’t really assume a critical bug will lead to paying out the full coverage exposure Nexus has at the time. For example, the Yearn bug applied to one pool (or a subset of pools) and not the full protocol. That means anyone who bought coverage for assets in a different pool wouldn’t suffer a loss, and therefore a claim wouldn’t be paid. There are also instances where a critical bug doesn’t lead to complete financial loss, only partial, so therefore claim payments are also lower than the full coverage exposure.
So we have to make assumptions about claim payment ratios given a critical bug exists. This analysis is very hard to do right now as there isn’t really enough data, but I would use a rough rule of thumb around the 25% mark. I don’t have much to justify this, but it feels like it should be less than 50% based on the hacks we’ve seen so far (very few are full losses like CREAM), but it’s likely still material. I’d guess the true answer is in the 10% - 40% range.
In addition we’d like the program to be clearly positive, so we’d expect active coverage to be substantially above $800k if we’re matching $200k per critical.
On this basis I think we should extend the program to the following:
- Protocols that have active cover > $2m and an active bug bounty program on Immunefi
- 1:1 matched payout up to $200k maximum per critical
- a maximum of $600k to be paid out in total, so 3 max payments, before the programme is reviewed again.
Looking forward to hearing others views.