@vincentj @Gauthier Please refer to the original proposal from last year
We delivered on the original proposal. Reports were delivered every quarter to Hugh and Rox.
The original proposal was to monitor for the following vulnerabilities, but the mutual benefited from many others that were added since the original proposal:
- potential for Uniswap/Balancer price manipulation
- interaction with untrusted tokens
- “unchecked sender” in flash loans
- contracts not properly initialized
- inconsistent scaling factors (i.e., powers of 10) for monetary amounts
- ECDSA signing that is not unique per signed message
- conventional errors: arithmetic overflow, reentrancy.
As to the value, this was Hugh’s argument last year:
Prevention of claims has significant value for the mutual. In regular insurance there are many instances of monitoring systems, usually bundled with the insurance purchase, that give early warning of system malfunction and allows repair crews to be dispatched before severe losses occur. Examples include flood warning systems, boiler monitoring and many others. I see this proposal in a similar vein.
In particular, for protocols where contracts can be upgraded sophisticated monitoring tools can save users and the mutual a lot of money. eg Uniswap is less likely to need such tools, but Yearn would likely benefit a lot from it.
I also see it as a potential strategic differentiator, eg if a project is willing to distribute Nexus cover at point of sale they we can include them on the monitoring list.
Certainly it’s understandable to not repurchase something if one doubts they can afford it at the moment. We did try to structure the proposal relative to the Mutual’s treasury strength - which is why we accepted wNXM pricing. But we cannot agree that the cost is steep, when it is in fact quite low relative to other security solutions. At current levels, the yearly cost of the service is equal to the cost of ~7 weeks of auditing time. For ongoing security analysis of code, some individual protocols pay more than 15x than the cost of this service! (Aave has a $3.6m/yr deal with Certora, Compound has a $4m/yr deal with OZ.)