This is a community initiative to improve the overall safety and security of using DeFi products. The sheer amount of negative headlines about hacks and losses of users’ funds are damaging DeFi’s reputation and are threatening its wider adoption.
Security is a layered approach and no team can write perfect code nor can auditors be expected to sign off on code as perfectly safe. It would, therefore, be sensible to offer additional layers of safety such as insurance. This proposal aims to explore and suggest some implementations as best practices based on a number of interviews with project owners, auditors, and Nexus Mutual members.
Auditors do a great job of providing objective reviews of the code they are hired to inspect, but projects often misappropriate these reviews by flaunting the audit as a seal of approval and safety, and not whether the code is still the same or if the audit results were even positive.
Early adopters, the majority of today’s DeFi users, can read an audit report and come to their own conclusions. But DeFi is slowly starting to get more usage by the general public and which cannot, nor should they be expected to. They mistrust the blockchain industry (1, 2, 3, 4, 5) while the main familiar protector against financial loss is insurance like the FDIC.
This initiative is aimed to make the audit/code review results available to the public in a more objective but also easily recognizable manner, to encourage longer-term involvement of auditors with the projects they are engaging with and to make insurance against financial loss broadly available as an additional security layer.
We see the following core issues plaguing DeFi in regards to security right now:
Misappropriation of Audits
Audits/code reviews are often misappropriated to signal safety to the users of projects, even if the audit/code review had negative conclusions.
Lack of Ongoing Involvement
Projects often upgrade their smart contracts with non-audited code but are still referring to the previous audits as security guarantees. There is no concept of having an auditor on retainer for most projects.
Users are painfully under-equipped to manage smart contract related risks properly, nor does DeFi currently offer users the tools to better assess these risks.
By aligning auditors, projects, Nexus Mutual members, and users of projects, a lot of these broken signals can be fixed.
Mint new NXM tokens that are airdropped to participating auditors, with an indefinite lock-up inside the mutual but usable for risk assessment staking and votes on claim assessments. Auditors will be able to keep the rewards from staking and claim assessment and are able to generate additional income that way. We are projecting to mint 4,000 NXM token to reward every auditor - project relationship with around $1,000 per year in two years.
Auditors are thereby creating valuable signals for Nexus Mutual members to allocate more stake towards a project or to improve understanding of claims.
A withdrawal of stake could be a good signal to Nexus Mutual members that circumstances around a contract have changed and risk would automatically adjust.
There should be a limit of 4,000 NXM per smart contract that each auditor can deploy, thereby providing a range of trust, e.g. staking only 1,000 NXM towards a smart contract would signal less trust than staking 4,000 NXM.
Furthermore, it is proposed to have semi-annual minting events to reward ongoing auditing work and to onboard new auditors in the space.
Nexus Mutual regulars will be familiar with the following definitions and can feel free to skip this section.
Nexus Mutual’s native token, used for various purposes within the mutual from buying cover, to staking and voting on claims or governance.
Basically everyone who has a recognized capability to evaluate the safety of smart contracts, either through manual code review, automated tools, economic simulations, formal verification, or other widely recognized techniques.
Every proven auditor - project relationship. Multiple (paid) reviews of the same smart contract would still be counted as one audit within this proposal.
Utilization and under-collateralization
Like all insurances, Nexus Mutual is most capital-efficient when it operates undercollateralized, meaning that the sum of all potential claims is much greater than the assets actually held. Nexus Mutual current utilization rate is around 100% but the system is designed to handle utilization rates of at least 500%, with a medium-term target of around 700%. 700% corresponds to a ~14.2% collateralization ratio.
Minimum Capital Requirement (MCR)
The MCR is the limit under which the capital in the mutual cannot be withdrawn except to pay claims. This sum currently stands at 13,100 ETH. Nexus Mutual will hold (and invest) the Capital Pool of assets that back its covers. The ratio between the Capital Pool and the MCR is known as the coverage ratio and abbreviated to MCR%.
More information: https://nexusmutual.gitbook.io/docs/docs#capital-based-limit
Nexus Mutual Bonding Curve
Price discovery on Nexus Mutual doesn’t happen via a market, but via a predefined price formula:
TP = A + (MCR / C) × MCR%^4
- A = 0.01028
- C = 5,800,000
Therefore there is almost guaranteed liquidity for everyone purchasing NXM to redeem later back into ETH. More info: https://nexusmutual.gitbook.io/docs/docs#token-price-formula
Risk Assessor Rewards (Staking rewards)
Currently 20% of all premiums purchased are returned to the members who are staking. Pooled staking is about to roll out and will distribute these rewards pro-rata to all members staking towards that contract. Additionally, there is a planned governance vote to increase staking rewards to up to 50% of the premium with a high likelihood of passing (according to a signal vote on Discord).
Claim Assessor Rewards
If a member thinks they have a worthy claim to be paid out, other members will vote whether that claim is valid or not. The incentives for voting are a pro-rata distribution of 20% of the initial purchased premium for voters of the correct outcome.
Nexus Mutual has proven product-market fit with 3.5m in cover purchased, but can still improve capital efficiency. The collateralization ratio is above 100% but again, insurance for a more diverse contract set is needed to reach the target of 700% utilization of the capital.
Pricing is also sub-optimal and more work is being done on that front as well.
Based on the current MCR, staked NXM towards projects, and a 50% Risk Assessor Reward, the following payouts are possible depending on capital utilization (red and yellow graphs are assuming that the mutual would have 200%, 500% more capital than today):
To have a meaningful enough impact for the auditors’ balance sheets, Nexus Mutual will have to reach a high utilization rate and expand its capital balance. So far cover purchases have had a strong correlation (>0.75) with the total value locked (TVL) of DeFi, thereby making it rational to assume cover purchases will at least continue to rise as DeFi becomes more popular.
Given this correlation and the fact Nexus Mutual is working on a lot of product improvements, we project the following Risk Assessment Rewards to be possible over the next years:
- Year 1 payout from risk assessment: $ 30,000
- Year 2 payout from risk assessment: $ 120,000
- Year 3 payout from risk assessment: $ 440,000
The current staking ratio of NXM holders is just 7.5% which is probably attributable to the old staking system (which is very unfavorable for the majority of staking members) and the fact that some NXM tokens are also reserved for the claim assessment. We assume that with the new pooled staking system a staking ratio of 25% is realistic. Furthermore we are assuming that we onboard auditors who have had a total of 100 DeFi related smart contract audits. To achieve a yearly payout of $1,000 per audit by year 3 we’d have to mint 4,000 NXM per proven auditor-project relationship, assuming a maximum of 400,000 NXM to be newly minted over a two-year time period. This would be synonymous with a dilution of 10% of the total current supply.
While 10% sounds like a lot of dilution, it should be noted that this is likely only achieved at a very high participation rate over a 1-2 year time period. Ongoing auditing work for new projects entering the space has to be rewarded equally and we propose to have semi-annual minting events, distributing NXM to participating auditors.
Involvement in this initiative by industry security experts is thought to include the following benefits:
Through continuous earning of rewards per risk assessed contract, auditors are encouraged to have an eye on the contracts and signal through stake adjustments whether their confidence in the security of the smart contract increases or decreases. This will be especially helpful in identifying and risk adjusting unaudited smart contract upgrades.
Stake towards a smart contract by an auditor is a powerful signal for Nexus Mutual members who are less technical and might be the deciding factor for other members to stake as well. More capital staked towards a smart contract will mean more cover can be underwritten, which in turn will lead to more insurance cover.
Once this initiative has proven value, a widget could be added to the UIs of projects which translates the staking ratio into a simple yet meaningful risk signal for end-users, thereby creating a more market-based signaling of security for each smart contract.
Nexus Mutual members have to determine the cause for smart contract security issues and therefore rely on third party reports for more clarification on the incidents. Having security experts involved in the community and able to answer questions once a claim was filed will likely create more confidence in the voting process and make sure claim outcomes are perceived to be unbiased. 20% of the paid premium will also be shared to claim assessors who vote with the majority.
Being an active and contributing member in risk and claim assessment will provide more visibility within the DeFi space and give a chance for security firms to better differentiate themselves.
Several auditors have been interviewed for their feedback and while the overall impression was very positive, some potential issues have also been noted:
A risk through market-based risk assessment is manipulation. If an auditor wanted to take advantage of this, they had to signal high confidence in a new project to attract more stake from other Nexus Mutual members. They would then take out large insurance against this project, only to execute on a vulnerability (only known to them) later and file claims. While this could be a feasible way to make money, it would likely leave on-chain traces and Nexus Mutual members would still have a chance to deny these claims. The resulting reputational damage would outweigh the potential financial gain.
Auditors voiced their concern over endorsing certain projects such as Nexus Mutual instead of others in the space. They want to stay neutral and not favor any protocol.
While we cannot speak for plans of other projects and their economics, we would welcome more insurance-related projects to follow in the footsteps of this initiative and incentivize security experts for their involvement.
To delegate the minted NXM token to a neutral third party such as AuditDAO to represent them would mitigate further neutrality concerns.
Risk priced too low
A few auditors noted that risk in DeFi is currently priced too low and that rewards for interactions with smart contracts should be higher to justify that risk.
While it is out of scope for this proposal to improve rewards for smart contract interactions of various DeFi protocols, it should be noted that a risk pricing approach based on staking will ultimately lead to higher insurance premiums for the majority of projects. Suggestions to improve this are already being discussed.
Staking becomes part of negotiations
Some auditors noted that as part of future contract negotiations with projects, staking on Nexus Mutual could become a contract clause for them. This would in effect make the whole market dynamics void, if projects were to pay upfront for an agreed-upon stake.
To mitigate this, we are suggesting the following:
- Auditors that want to participate but are afraid of the above scenario can publish pre-defined criteria for which they would delegate their stake towards projects. An example of this would be an auditor requiring the project to post MythX (or Crytic) results and delegate NXM based on these results, or simply the fact that a check-list of best practices has been followed.
- Auditors could outsource their stake to third-party organizations like AuditDAO who would effectively manage their stake and potentially return some rewards to them as well.
The other side of the medal of the previous argument would be that auditors would be able to abuse their clients and demand extra payment for favorable staking.
Over time this would become a costly argument, as staking would not be based on merit, and repeated smart contract incidents related to one auditor would not just hurt their stake, but also their primary business model.
- collect feedback from the Nexus Mutual member community
- have the Nexus Mutual team make an estimate for the required changes
- onboard more auditors and refine the NXM inflation numbers