Proposal: Auditor Signaling

Background

This is a community initiative to improve the overall safety and security of using DeFi products. The sheer amount of negative headlines about hacks and losses of users’ funds are damaging DeFi’s reputation and are threatening its wider adoption.

Security is a layered approach and no team can write perfect code nor can auditors be expected to sign off on code as perfectly safe. It would, therefore, be sensible to offer additional layers of safety such as insurance. This proposal aims to explore and suggest some implementations as best practices based on a number of interviews with project owners, auditors, and Nexus Mutual members.

Auditors do a great job of providing objective reviews of the code they are hired to inspect, but projects often misappropriate these reviews by flaunting the audit as a seal of approval and safety, and not whether the code is still the same or if the audit results were even positive.

Early adopters, the majority of today’s DeFi users, can read an audit report and come to their own conclusions. But DeFi is slowly starting to get more usage by the general public and which cannot, nor should they be expected to. They mistrust the blockchain industry (1, 2, 3, 4, 5) while the main familiar protector against financial loss is insurance like the FDIC.

This initiative is aimed to make the audit/code review results available to the public in a more objective but also easily recognizable manner, to encourage longer-term involvement of auditors with the projects they are engaging with and to make insurance against financial loss broadly available as an additional security layer.

We see the following core issues plaguing DeFi in regards to security right now:

Misappropriation of Audits

Audits/code reviews are often misappropriated to signal safety to the users of projects, even if the audit/code review had negative conclusions.

Lack of Ongoing Involvement

Projects often upgrade their smart contracts with non-audited code but are still referring to the previous audits as security guarantees. There is no concept of having an auditor on retainer for most projects.

Risk Pricing

Users are painfully under-equipped to manage smart contract related risks properly, nor does DeFi currently offer users the tools to better assess these risks.

By aligning auditors, projects, Nexus Mutual members, and users of projects, a lot of these broken signals can be fixed.

Proposal

Mint new NXM tokens that are airdropped to participating auditors, with an indefinite lock-up inside the mutual but usable for risk assessment staking and votes on claim assessments. Auditors will be able to keep the rewards from staking and claim assessment and are able to generate additional income that way. We are projecting to mint 4,000 NXM token to reward every auditor - project relationship with around $1,000 per year in two years.

Auditors are thereby creating valuable signals for Nexus Mutual members to allocate more stake towards a project or to improve understanding of claims.

A withdrawal of stake could be a good signal to Nexus Mutual members that circumstances around a contract have changed and risk would automatically adjust.

There should be a limit of 4,000 NXM per smart contract that each auditor can deploy, thereby providing a range of trust, e.g. staking only 1,000 NXM towards a smart contract would signal less trust than staking 4,000 NXM.

Furthermore, it is proposed to have semi-annual minting events to reward ongoing auditing work and to onboard new auditors in the space.

Definitions

Nexus Mutual regulars will be familiar with the following definitions and can feel free to skip this section.

NXM

Nexus Mutual’s native token, used for various purposes within the mutual from buying cover, to staking and voting on claims or governance.

Auditor

Basically everyone who has a recognized capability to evaluate the safety of smart contracts, either through manual code review, automated tools, economic simulations, formal verification, or other widely recognized techniques.

Audit

Every proven auditor - project relationship. Multiple (paid) reviews of the same smart contract would still be counted as one audit within this proposal.

Utilization and under-collateralization

Like all insurances, Nexus Mutual is most capital-efficient when it operates undercollateralized, meaning that the sum of all potential claims is much greater than the assets actually held. Nexus Mutual current utilization rate is around 100% but the system is designed to handle utilization rates of at least 500%, with a medium-term target of around 700%. 700% corresponds to a ~14.2% collateralization ratio.

Minimum Capital Requirement (MCR)

The MCR is the limit under which the capital in the mutual cannot be withdrawn except to pay claims. This sum currently stands at 13,100 ETH. Nexus Mutual will hold (and invest) the Capital Pool of assets that back its covers. The ratio between the Capital Pool and the MCR is known as the coverage ratio and abbreviated to MCR%.

More information: https://nexusmutual.gitbook.io/docs/docs#capital-based-limit

Nexus Mutual Bonding Curve

Price discovery on Nexus Mutual doesn’t happen via a market, but via a predefined price formula:

TP = A + (MCR / C) × MCR%^4

  • A = 0.01028
  • C = 5,800,000

Therefore there is almost guaranteed liquidity for everyone purchasing NXM to redeem later back into ETH. More info: https://nexusmutual.gitbook.io/docs/docs#token-price-formula

Risk Assessor Rewards (Staking rewards)

Currently 20% of all premiums purchased are returned to the members who are staking. Pooled staking is about to roll out and will distribute these rewards pro-rata to all members staking towards that contract. Additionally, there is a planned governance vote to increase staking rewards to up to 50% of the premium with a high likelihood of passing (according to a signal vote on Discord).

Claim Assessor Rewards

If a member thinks they have a worthy claim to be paid out, other members will vote whether that claim is valid or not. The incentives for voting are a pro-rata distribution of 20% of the initial purchased premium for voters of the correct outcome.

Compensation Scenarios

Nexus Mutual has proven product-market fit with 3.5m in cover purchased, but can still improve capital efficiency. The collateralization ratio is above 100% but again, insurance for a more diverse contract set is needed to reach the target of 700% utilization of the capital.

Pricing is also sub-optimal and more work is being done on that front as well.

Based on the current MCR, staked NXM towards projects, and a 50% Risk Assessor Reward, the following payouts are possible depending on capital utilization (red and yellow graphs are assuming that the mutual would have 200%, 500% more capital than today):

To have a meaningful enough impact for the auditors’ balance sheets, Nexus Mutual will have to reach a high utilization rate and expand its capital balance. So far cover purchases have had a strong correlation (>0.75) with the total value locked (TVL) of DeFi, thereby making it rational to assume cover purchases will at least continue to rise as DeFi becomes more popular.

Given this correlation and the fact Nexus Mutual is working on a lot of product improvements, we project the following Risk Assessment Rewards to be possible over the next years:

Read:

  • Year 1 payout from risk assessment: $ 30,000
  • Year 2 payout from risk assessment: $ 120,000
  • Year 3 payout from risk assessment: $ 440,000

The current staking ratio of NXM holders is just 7.5% which is probably attributable to the old staking system (which is very unfavorable for the majority of staking members) and the fact that some NXM tokens are also reserved for the claim assessment. We assume that with the new pooled staking system a staking ratio of 25% is realistic. Furthermore we are assuming that we onboard auditors who have had a total of 100 DeFi related smart contract audits. To achieve a yearly payout of $1,000 per audit by year 3 we’d have to mint 4,000 NXM per proven auditor-project relationship, assuming a maximum of 400,000 NXM to be newly minted over a two-year time period. This would be synonymous with a dilution of 10% of the total current supply.

While 10% sounds like a lot of dilution, it should be noted that this is likely only achieved at a very high participation rate over a 1-2 year time period. Ongoing auditing work for new projects entering the space has to be rewarded equally and we propose to have semi-annual minting events, distributing NXM to participating auditors.

Incentives

Involvement in this initiative by industry security experts is thought to include the following benefits:

Ongoing Involvement

Through continuous earning of rewards per risk assessed contract, auditors are encouraged to have an eye on the contracts and signal through stake adjustments whether their confidence in the security of the smart contract increases or decreases. This will be especially helpful in identifying and risk adjusting unaudited smart contract upgrades.

Member Signaling

Stake towards a smart contract by an auditor is a powerful signal for Nexus Mutual members who are less technical and might be the deciding factor for other members to stake as well. More capital staked towards a smart contract will mean more cover can be underwritten, which in turn will lead to more insurance cover.

Public Signaling

Once this initiative has proven value, a widget could be added to the UIs of projects which translates the staking ratio into a simple yet meaningful risk signal for end-users, thereby creating a more market-based signaling of security for each smart contract.

Claim Assessment

Nexus Mutual members have to determine the cause for smart contract security issues and therefore rely on third party reports for more clarification on the incidents. Having security experts involved in the community and able to answer questions once a claim was filed will likely create more confidence in the voting process and make sure claim outcomes are perceived to be unbiased. 20% of the paid premium will also be shared to claim assessors who vote with the majority.

PR

Being an active and contributing member in risk and claim assessment will provide more visibility within the DeFi space and give a chance for security firms to better differentiate themselves.

Known Issues

Several auditors have been interviewed for their feedback and while the overall impression was very positive, some potential issues have also been noted:

Manipulation

A risk through market-based risk assessment is manipulation. If an auditor wanted to take advantage of this, they had to signal high confidence in a new project to attract more stake from other Nexus Mutual members. They would then take out large insurance against this project, only to execute on a vulnerability (only known to them) later and file claims. While this could be a feasible way to make money, it would likely leave on-chain traces and Nexus Mutual members would still have a chance to deny these claims. The resulting reputational damage would outweigh the potential financial gain.

Auditor Independence

Auditors voiced their concern over endorsing certain projects such as Nexus Mutual instead of others in the space. They want to stay neutral and not favor any protocol.

While we cannot speak for plans of other projects and their economics, we would welcome more insurance-related projects to follow in the footsteps of this initiative and incentivize security experts for their involvement.

To delegate the minted NXM token to a neutral third party such as AuditDAO to represent them would mitigate further neutrality concerns.

Risk priced too low

A few auditors noted that risk in DeFi is currently priced too low and that rewards for interactions with smart contracts should be higher to justify that risk.

While it is out of scope for this proposal to improve rewards for smart contract interactions of various DeFi protocols, it should be noted that a risk pricing approach based on staking will ultimately lead to higher insurance premiums for the majority of projects. Suggestions to improve this are already being discussed.

Staking becomes part of negotiations

Some auditors noted that as part of future contract negotiations with projects, staking on Nexus Mutual could become a contract clause for them. This would in effect make the whole market dynamics void, if projects were to pay upfront for an agreed-upon stake.

To mitigate this, we are suggesting the following:

  • Auditors that want to participate but are afraid of the above scenario can publish pre-defined criteria for which they would delegate their stake towards projects. An example of this would be an auditor requiring the project to post MythX (or Crytic) results and delegate NXM based on these results, or simply the fact that a check-list of best practices has been followed.
  • Auditors could outsource their stake to third-party organizations like AuditDAO who would effectively manage their stake and potentially return some rewards to them as well.

Abusing clients

The other side of the medal of the previous argument would be that auditors would be able to abuse their clients and demand extra payment for favorable staking.

Over time this would become a costly argument, as staking would not be based on merit, and repeated smart contract incidents related to one auditor would not just hurt their stake, but also their primary business model.

Next Steps

  • collect feedback from the Nexus Mutual member community
  • have the Nexus Mutual team make an estimate for the required changes
  • onboard more auditors and refine the NXM inflation numbers
4 Likes

Auditors that agreed to participate so far are (in the order of agreeing):

We are still waiting to hear back from some more. If you are interested to participate as well, please reply here or reach out to someone on the Nexus Mutual team.

2 Likes

This is really a great initiative, thanks for tabling it @HeyChristopher!

I think you articulate most of the pros and cons well. A few more unstructured thoughts that came to mind:

  • a strong signal from a top auditor would likely attract a significantly higher amount of staking behind them, thus diluting the potential reward available for the auditor while also (perhaps) signalling the market that such contract is ‘extra safe’ so not requiring cover as much as others?
  • not all projects can afford the best auditors unfortunately (they are, rightly, expensive!), and the ones they can afford may not be participating in this staking programme. So would this be favouring the best funded projects who can afford an expensive audit over the more nimble ones?
  • from purely an administrative perspective, presumably this would require extra resources and additional costs from the auditors, if they are required to actively participate in claim assessments, controbute to discussions let alone do the staking etc. Not as issue per se, but just flagging that from a P&L perspective the potential rewards might need to be netted off some form of costs, if only opportunity costs.
  • related to the point above, it does not feel like the push back from auditors is related to the size of the financial incentive (but more a philosophical kind of push back). So how have you arrived to the proposed sizing of the rewards?

I’m very supportive of the overall objectives of this proposal, so thank you @HeyChristopher for all the work you’ve put in so far. My main uncertainty is around the specific mechanics and how we best use any newly minted tokens in the most effective way.

Illustrating this with a specific example:

Mint new NXM tokens that are airdropped to participating auditors, with an indefinite lock-up inside the mutual but usable for risk assessment staking and votes on claim assessments. Auditors will be able to keep the rewards from staking and claim assessment and are able to generate additional income that way. We are projecting to mint 4,000 NXM token to reward every auditor - project relationship

An indefinite lock-up requires minting more NXM to generate the same income levels. There could be eg a 3 year lock-up and a lower mint. There are quite a few options here and it’s hard to work out what’s optimal.

More generally, I tend to prefer starting with limited trials for any incentive mechanism as it’s really hard to get it correct initially. Everything will be gamed.

image

What Nexus really wants is an active staking network of knowledgeable participants that stake on protocols that members wish to buy cover on. This has quite a few elements and if we lock into a long term structure early it will almost certainly be sub-optimal and worst case end up encouraging perverse behaviour. Intuitively I believe we can only get to a good model with experimentation.

This actually opens up a wider question, especially given the recent success of incentive mechanisms like COMP, BAL and SNX. Should we mint a larger pool of NXM tokens, eg 1,000,000, which can be used for incentive mechanisms more broadly over many years? The pool could specifically include auditing incentives like this, but could also be used to encourage capital provision to the mutual to help it meet existing demand for cover.

I don’t want to derail this specific proposal, as I believe in the core objective of this specific initiative, however I see two elements that are worth separating:

  1. Do members wish to mint additional NXM as incentives to encourage auditor participation?
  2. If so, what are the mechanics and how do we get the best outcome?

My view is to mint a larger pool of NXM to be used as incentives more broadly, and then run short term experiments and adjust where necessary. Grabbing hold of the enthusiasm shown by existing auditing firms by getting a first experiment out quickly would be a key part of that.

1 Like

Thank you for your feedback. Answers below:

I guess this really depends on the person buying the insurance. I also don’t see how that couldn’t be the case today already. Many of the big auditors publish their results, but members still buy insurance. This proposal just really wants to make these results available more broadly.

Every auditor is welcome and encouraged to participate. Doesn’t have to be a big shop, could also be an individual. I guess the only requirement would be to prove that they did a smart contract audit for a somewhat known project before.

Correct, it needs to make financial sense for the auditors too long term or they will stop participating. But fortunately Nexus Mutual pays a part of the insurance premiums back to stakers. Aside from these premiums we also hope that these signals will become signals for the broader DeFi community and thereby also offer a platform for auditors to differentiate themselves. Some auditors also mentioned to automate their staking based on tools. For example projects need to run MythX and the auditor automatically stakes some NXM depending on that result.

Auditors have not given us financial goals and we need to see how active their involvement will actually be. The $ 1,000 per audit by year 3 was therefore just a guess from me for fair compensation and likely needs to be adjusted.

2 Likes

Some further comments on the specific mechanics:

  • I’d prefer a lower amount of NXM per audit granted but having it locked for a limited time period eg 3 years.

  • The above needs to come along with some commitment to stake the NXM. eg if it isn’t regularly staked then it has to be returned.

  • The NXM should be granted for projects that users want cover on. That’s far too vague and requires more thought on the exact mechanic.

  • What happens when multiple auditors audit the same project, even subsequent to it being coverable on Nexus for some time.

What are your reasons? My thinking behind the indefinite lock up and earning through rewards was that you incentivise auditors to participate versus just jumping on board initially, but then sitting it out until their tokens unlock. I wouldn’t want the Nexus Mutual members to take that risk.

Well, the soft commitment would be achieved through the reward incentive. No staking, no earning. Positive reinforcement is more powerful.

Agree that a lot of the details of the proposal still need to be ironed out and I hope publishing it here in the forum will help with that. However I wouldn’t want to be too strict with the requirements to grant NXM (since the risk of minting is minimal when they are indefinitely locked) and would rather optimize for having as many auditors actively involved as possible.

Similar answer, when unsure, my gut feeling would be to err in favor of auditors and mint more NXM. Up to a certain extent of course. If a project gets more than 1 audit a year by the same auditors I would also suggest to stop minting extra NXM.

@HeyChristopher my thoughts on not having indefinite lock-up was that it would allow a lower token mint overall. However, after thinking about this further and considering your extra points, the indefinite lock-up does deal with other issues more elegantly, so I’m coming around to it.

fyi - we can’t enforce the indefinite lock-up at a smart contract level, so would suggest this is conducted via legal agreements. This could also include a requirement that NXM is returned if not actively staked for a period.

In general, I’m supportive of a more general token mint for incentives broadly, part of which can be used to trial this with the existing auditors that have shown interest. I believe we should capitalise on their immediate interest soon. I find it difficult to support a large token mint for this purpose only, just because we don’t know how effective it will be. A more general mint has much more flexibility, and if the auditor trials prove successful then it would make sense to continue and expand them. If not, then we can trial something else.

Also, running a trail means more flexibility on when tokens are granted, as any generosity is more limited.

1 Like