Nexus Mutual Community Fund <> Immunefi Matching Program Partnership

The Community Fund is presenting the following proposal from Immunefi for the community’s consideration.

Summary from Immunefi

Immunefi, DeFi’s leading bug bounty service protecting over 100+ DeFi projects and $25 billion in user funds, proposes a bug bounty matching program to prevent claim events on Nexus Mutual covered partners, thereby directly strengthening Nexus Mutual core business.

Immunefi will handle all operations and logistics (bug bounty program setup, quality monitoring, project support, and payments), with Nexus Mutual’s role being to approve and provide matching payouts to qualifying critical bug reports as they come in.

The Proposal: How It Works

A list of pre-determined Nexus Mutual covered protocols will be eligible for the matching program. Nexus Mutual will determine eligibility requirements at their discretion. This list is subject to review and renewal every 3 months, to evaluate efficacy and control costs. Immunefi will reach out to eligible projects to set them up with bug bounty programs and the matching program, handling all day to day operations.

The Nexus Mutual Community Fund will provide 1:1 bounty matching up to a total amount of USD 500 000 per critical bug report that could have led to a claim payout on Nexus Mutual. Though projects can raise their bounties beyond USD 500 000 and are encouraged to do so, Nexus Mutual’s matching program will not match beyond that cap.

As a hypothetical example, if an eligible covered protocol has a critical bug bounty payout of USD 200 000, then the maximum total payout with matching would be USD 400 000, due to USD 200 000 Nexus Mutual matching.

This matching program only applies to critical vulnerabilities, as defined by Immunefi’s severity classification system or the projects’ own bug bounty program. Matching payments will only be requested once a bug report is paid out by the covered protocol on Immunefi, which Immunefi will confirm. All payments will be made in NXM and executed directly by the Nexus Mutual Community Fund. No escrow is required.

Covered partners will be required to have a critical bug bounty payout of at least USD 50 000 for critical smart contract vulnerabilities in order to be eligible for the matching program. Critical web/app vulnerabilities are excluded from this matching program.

We propose a starting program budget of 12 000 NXM, which is approximately USD 1 000 000 at current prices, to be allocated to this matching program on a trial basis. The budget shall remain in Nexus Mutual’s control. This budget, in combination with the recurring 3 month review period, gives the Nexus Mutual community a short feedback loop to control costs and adjust the program as needed. If the program proves effective in reducing claim payments, we can explore expanding the program; we are confident that Immunefi can demonstrate the effectiveness of bug bounties in reducing claim payouts over the next 12 months.

Nexus Mutual will be mentioned on all critical vulnerability postmortems where its matching program is utilized, so that the broader community is made aware of its direct contributions to ecosystem security.

Conclusion & Next Steps

We hope this is the beginning of an enduring partnership between the Immunefi and Nexus Mutual communities. Together, our communities lead their respective markets (smart contract bug bounties and smart contract insurance), and we have the same goal: preventing DeFi users from losing funds to hacks and bugs. We have even been fortunate enough to work with the Nexus Mutual core team on their own bug bounty program, which lives on immunefi.com.

The immediate next step is for the Nexus Community to discuss and evaluate if this proposal best serves the needs of the Mutual, and weigh the value of working with Immunefi relative to other potential bounty service providers.

About Immunefi

Immunefi is DeFi’s leading bug bounty system, protecting over 100+ projects (like Nexus Mutual, Yearn Finance, Sushiswap, and Pancakeswap) and $25+ billion in user funds. Immunefi’s hacker community is the largest and most active in DeFi, and together we have prevented over $1 billion in potential exploits and processed thousands of bug reports.

You can view Immunefi’s current partners and bug bounty programs here:

https://immunefi.com/explore/

And review of a few our past bug reports, war rooms, and whitehacks here:

This proposal is inspired by BraveNewDefi’s bug bounty idea, see here:

Thanks @Kendrea for this! We hope to further our relationship with Nexus Mutual through this Matching Program.

I’m Travin Keith, one of the Co-Founders of Immunefi and we believe that this could further secure the covered protocols, preventing catastrophic damages from happening by both encouraging even more whitehat hackers to focus on Nexus Mutual covered protocols, as well as to further try to economically incentivize blackhat hackers to disclose vulnerabilities instead of exploiting them.

I’m looking forward to hearing feedback from the Nexus Mutual community. I’ll be around to answer questions that come up

Armor has had a great experience working with the Immunefi team and this helps prevent hacks before they happen, adding another layer of protection to users who seek coverage for their assets. Very sensible and thoughtfully considered proposal with mutual benefits to all stakeholders.

CTO from Armor here and I’m very much for any proposal further helping to secure the ecosystem, and, even disregarding any goodwill, this could be an extremely effective cost-saving measure for Nexus underwriters: paying $50-500k to save underwriters from losing millions is a no-brainer. We launched a similar program with Immunefi, they’ve taken care of most all of it, haven’t needed to pay anything out yet, and no hacks on any involved protocols have occurred. Definitely a win-win here for Nexus Mutual and the ecosystem at large

Armor is a great company, and the feedback is valuable.

Hi everyone, this is Mitchell Amador from Immunefi.

I’d like to note that we want to ensure that any bug bounty payouts from the matching programs make economic sense to the Mutual. The key to doing this is in designing the matching program eligibility requirements to ensure that any payouts made save far more money for underwriters than a hack would have inflicted.

We very deliberately leave decision making on eligibility in the hands of Nexus Mutual, as they will know the economics of Nexus far better than we could.

In this way, we can ensure alignment of interests between Immunefi and Nexus Mutual for the long term.

I am a fan of Immunefi and have the tendency to be voting in favour of this proposal.

Nonetheless, I think for the Immunefi team should be required to present a business case behind it to get to a snapshot vote.

It doesn’t even necessarily have to be a full business case, but some kind of historic data that shows i.e. “bug bounty payouts vs potential risk vs TVL protocol”.

Thanks for the kind words @Markus_Agnostic.

For the business case, what do you have in mind? A case study of a successfully resolved bug bounty payout that could have resulted in a serious exploit, and the funds at risk there, to show the level of damage mitigation?

We could definitely prepare some examples to show how this typically works. With a few case studies, it’s pretty simple.

Hi @Mitchell_Amador

A case study of a successfully resolved bug bounty payout that could have resulted in a serious exploit, and the funds at risk there, to show the level of damage mitigation?

Pretty much, yes.

Something I had in mind would just take all protocols available for cover on Nexus, show the potential severity and compare that to TVL and the percentage of the TVL that Nexus is covering.

Like let’s say in this hypothetical scenario: “A bug was found in Protocol A, that could have drained 1 of 4 vaults. The TVL was $400m, which would have caused a potential damage of $100m. Nexus is covering 0.2% of the TVL, which is $800k. Bug bounty $200k vs claim payout $800k.”

… and then simply line it up in a sheet.

Hey all! Sharing some thoughts here.

12,000 NXM is almost 5% of the Nexus community fund treasury. Nexus has a smaller treasury than most other DeFi projects so I want to be prudent in spending. The token mint to set up the community fund was contentious enough so I want to avoid the slippery slope of doing more token mints and diluting NXM holders to recapitalize the treasury.

That said, I’m open to starting with a small amount, say $100k worth of NXM, to see if the partnership is worthwhile and then periodically get approvals for future NXM rather than most upfront. This should be enough to cover the first critical vulnerability bug bounty payout, and then reevaluate whether the program is effective a reducing claim payments (e.g. bug bounty payout < active cover on such project). Immunifi also has a strong brand that could be worthwhile for Nexus to be a long-term partner.

The key part of the proposal is “could have led to a claim payout on Nexus Mutual”. Nexus has the proof-of-loss requirement, which means users have to sign a message proving they control a wallet that lost money in the hack; in the recent Yearn hack for example Nexus only paid $2.8M worth of claims out of $63.4M worth of active covers. Furthermore projects often reimburse affected users (e.g. Thorchain), which obviates the need for claims on Nexus. So even if critical bug is disclosed on Immunifi, Nexus wouldn’t necessarily pay claims on the full amount of active covers if that bug got exploited.

I’ve been made aware that the 7 days before a proposal goes to snapshot has already expired, and this will be going to vote soon. Nonetheless, I’m happy to say we’re quite open to making the business case, if only partial, due to time limitations. Here’s three examples, two realized and one hypothetical.

For the first example, we have our postmortem from our work with 88mph, see here: 88mph Function Initialization Bug Fix Postmortem | by Immunefi | Immunefi | Jun, 2021 | Medium

In this vulnerability, $6.5mm in tokens were at risk of being drained, of a total TVL of $17.6mm. Thankfully, the vulnerability was surfaced via bug bounty and patched. The bug bounty paid out was $42,069.

A second example is our 2nd Fei critical vulnerability, postmortem here: Fei Protocol Flashloan Vulnerability Postmortem | by Immunefi | Immunefi | Medium

In this vulnerability, 60,000 ETH (valued then at $234mm) were at risk of being stolen, of a total TVL of $692mm. The vulnerability was surfaced and the bug bounty paid out was $800,000.

The hypothetical example is Lido. Lido keeps its ETH in a single pool. If that pool ever has vulnerabilities, assets in the pool are at risk (about $1.66 billion USD today). It doesn’t really matter what size of bug bounty is paid out, it will have positive EV relative to the hack. And if Nexus should ever sell cover on Lido, any such matching payment will have enormously positive EV relative to claims payouts (which would probably be for all cover sold).

The examples illustrate the impact these vulnerabilities typically present, and most protocols share this kind of risk profile. Ideally, Nexus’s matching would restrict itself to covering these kinds of catastrophic vulnerabilities, which is where they are likely to have claims payouts.

As to assessing bug bounty payouts relative to claims payouts, I don’t have that data at hand, but I’d be happy to integrate that into matching program qualification such that any matching payments made are less than the claim payout that would have ensued. With a simple API, that should be straightforward to make as a condition of any matching payment. We can work with the Nexus Mutual team to make this happen, as they will set the qualification criteria and can make this a requirement.

As to @rchen8’s comment, prudence seems wise. I had suggested a low cap (approximately $1mm) and a 3 month review period precisely to provide that time for re-evaluation. Extending it further to mitigate treasury requirements is perfectly fine for us, although $100,000 is probably too small of an amount, seeing that a matching payment on a truly critical vulnerability could be up to $500,000. I recommend we set that as the minimum for the first set, if 12,000 NXM was deemed too much by the Nexus Mutual team.

We should also note that bug report intake is somewhat unpredictable; it could be months before we receive any qualifying reports (we are setting fairly strict eligibility requirements here). Additionally, the first report may not be representative of the value of program, which is to drive critical bug reports over a whole set of covered protocols, and a single particular bug report may drive more value to Nexus than the remaining entirety of the set put together due to the size of a vulnerability and cover sold. The real value of the program to Nexus is in adding further layer of protection against a catastrophic black swan hack that results in a massive claim event, and while costing little to nothing to maintain (as we are taking care of all operational costs and concerns). For this reason, we ask for sometime (at least 12 months) to demonstrate the value of the matching program.

Also worth noting: we are not requesting 12,000 NXM be allocated to us, but rather to earmark it to the program while remaining in Nexus Mutual’s possession. Funds will only be paid out as eligible bug reports are confirmed. If the program is discontinued, those funds remain 100% available for redeployment on more profitable initiatives.

At this point, I’ve said plenty. We are excited about the possibility of working with the Nexus Mutual community, and are happy to adjust the program to ensure that it’s as riskless for Nexus Mutual as possible. If you’re excited to work with us, we hope you vote YES in the coming snapshot vote!

After discussing further with @rchen8 as to how to best setup the matching program to serve the needs of the Community Fund, we’d like to make some adjustments. Thanks again for your feedback here Richard.

Now, onto the adjustments:

1. First, to make clear that the current matching program is a trial for both Nexus Mutual and Immunefi, and if it works we can explore a matching program with expanded scope. We’d like to run this trial program until either we payout the earmarked funds, or either party decides to discontinue the collaboration.

2. Second, to adjust the 1:1 bounty matching from Nexus to a maximum $200,000 per qualifying critical bug report for the duration of the trial program.

3. Third, to further limit risk to the Nexus Mutual community fund we’d like to adjust the requested funds earmarked to this program to 2500 NXM, or approximately $200,000. This will give the program just enough capital to payout any single maximum claim, while mitigating payout risk for the community fund.

4. Fourth, Nexus Mutual itself will determine conditions a project must satisfy in order to participate in the matching program, which can include things like the aggregate cover available on a protocol and its architecture. For example, yield aggregators with many pools may require more restrictive qualification conditions than a protocol that stores all funds in a single pool, seeing that the proof of loss requirement provides some protection against yield aggregator losses for the Mutual. We leave qualification specifics to the Nexus Mutual team, but want to be conscious that the basis of the collaboration is delivering compelling value.

5. Fifth, we will review all qualifying critical bug reports with the Nexus Mutual team shortly after the report has been fully resolved, so we can adjust the program as rapidly as possible to suit the Mutual’s needs. If there are further adjustments to the program that need to be made, we will know and make them very quickly.

With the above, we believe we’ve mitigated all the major risks. The next action point would be to try it out, and see if it delivers as much value as many of us here believe it could.

Thanks Mitchell

Great to see things being refined based on community feedback. We’ll organise to get the revised proposal listed into snapshot for voting.

like the proposal… although it might make sense to start with a lower bounty like 250k to begin with

The purpose of Nexus Mutual should be determining risks and leading to a risk-based cover price discovery. So once we start to influence the risks we will get to the following conclusions:

1. increase value of bug bounties →
2. risk reduction →
3. risk-based cover pricing goes down →
4. lower staking returns BUT higher costs due to the sponsored bug bounty programme. The first aspect would be bad for risk assessors, the seconds for all NXM holders.

As a result, I’m against this proposal and would favor an appropriate “risk evaluation and (dynamic) pricing” approach.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.