The Community Fund is presenting the following proposal from Immunefi for the community’s consideration.
Summary from Immunefi
Immunefi, DeFi’s leading bug bounty service protecting over 100+ DeFi projects and $25 billion in user funds, proposes a bug bounty matching program to prevent claim events on Nexus Mutual covered partners, thereby directly strengthening Nexus Mutual core business.
Immunefi will handle all operations and logistics (bug bounty program setup, quality monitoring, project support, and payments), with Nexus Mutual’s role being to approve and provide matching payouts to qualifying critical bug reports as they come in.
The Proposal: How It Works
A list of pre-determined Nexus Mutual covered protocols will be eligible for the matching program. Nexus Mutual will determine eligibility requirements at their discretion. This list is subject to review and renewal every 3 months, to evaluate efficacy and control costs. Immunefi will reach out to eligible projects to set them up with bug bounty programs and the matching program, handling all day to day operations.
The Nexus Mutual Community Fund will provide 1:1 bounty matching up to a total amount of USD 500 000 per critical bug report that could have led to a claim payout on Nexus Mutual. Though projects can raise their bounties beyond USD 500 000 and are encouraged to do so, Nexus Mutual’s matching program will not match beyond that cap.
As a hypothetical example, if an eligible covered protocol has a critical bug bounty payout of USD 200 000, then the maximum total payout with matching would be USD 400 000, due to USD 200 000 Nexus Mutual matching.
This matching program only applies to critical vulnerabilities, as defined by Immunefi’s severity classification system or the projects’ own bug bounty program. Matching payments will only be requested once a bug report is paid out by the covered protocol on Immunefi, which Immunefi will confirm. All payments will be made in NXM and executed directly by the Nexus Mutual Community Fund. No escrow is required.
Covered partners will be required to have a critical bug bounty payout of at least USD 50 000 for critical smart contract vulnerabilities in order to be eligible for the matching program. Critical web/app vulnerabilities are excluded from this matching program.
We propose a starting program budget of 12 000 NXM, which is approximately USD 1 000 000 at current prices, to be allocated to this matching program on a trial basis. The budget shall remain in Nexus Mutual’s control. This budget, in combination with the recurring 3 month review period, gives the Nexus Mutual community a short feedback loop to control costs and adjust the program as needed. If the program proves effective in reducing claim payments, we can explore expanding the program; we are confident that Immunefi can demonstrate the effectiveness of bug bounties in reducing claim payouts over the next 12 months.
Nexus Mutual will be mentioned on all critical vulnerability postmortems where its matching program is utilized, so that the broader community is made aware of its direct contributions to ecosystem security.
Conclusion & Next Steps
We hope this is the beginning of an enduring partnership between the Immunefi and Nexus Mutual communities. Together, our communities lead their respective markets (smart contract bug bounties and smart contract insurance), and we have the same goal: preventing DeFi users from losing funds to hacks and bugs. We have even been fortunate enough to work with the Nexus Mutual core team on their own bug bounty program, which lives on immunefi.com.
The immediate next step is for the Nexus Community to discuss and evaluate if this proposal best serves the needs of the Mutual, and weigh the value of working with Immunefi relative to other potential bounty service providers.
Immunefi is DeFi’s leading bug bounty system, protecting over 100+ projects (like Nexus Mutual, Yearn Finance, Sushiswap, and Pancakeswap) and $25+ billion in user funds. Immunefi’s hacker community is the largest and most active in DeFi, and together we have prevented over $1 billion in potential exploits and processed thousands of bug reports.
You can view Immunefi’s current partners and bug bounty programs here:
And review of a few our past bug reports, war rooms, and whitehacks here:
This proposal is inspired by BraveNewDefi’s bug bounty idea, see here: