Audits and Security
Review Nexus Mutual's audits, bug bounties, and initiatives to strengthen our ecosystem.

Audits

Below are a list of audits conducted on Nexus Mutual's smart contract system in order of newest to oldest. You can also review Nexus Mutual's GitHub where these reports are hosted.

iosiro Audit: Stacked Risk, On-chain MCR, and Swap Operator Smart Contract Audit | May 2021

iosiro was commissioned by Nexus Mutual to conduct a smart contract audit on their Stacked Risk, On-chain MCR and Swap Operator features.
The following audit was published and released in May 2021.

G0 Group Audit: Pooled Staking | June 2020

The G0 Group was commissioned by Nexus Mutual to conduct a smart contract audit on their Pooled Staking contract.
The following audit was published and released in June 2020.

Solidified Audit: Smart Contracts and Associated Components | April 2019

Solidified was commissioned by Nexus Mutual to conduct a smart contract audit on their smart contracts and associated components.
The following audit was published and released in April 2019.

Security

Nexus Mutual works to ensure our smart contract system is safe and secure. Regular audits are an important part of maintaining the security of our smart contract system, but there are several other approaches the mutual takes to keep the protocol secure.

Immunefi Bug Bounty

On Immunefi, hackers secure DeFi contracts, save funds from theft, and get paid doing it. Nexus is able to secure our protocol through this partnership with Immunefi.
Immunefi runs a bug bounty programme for Nexus Mutual to incentivise hackers to disclose vulnerabilities in the mutual's smart contract system in exchange for payouts equal to the level of severity.
Smart Contracts and Blockchain
Critical | Up to $50,000 USD High | Up to $25,000 USD Medium | Up to $10,000 USD Low | Up to $2,000 USD [Bounties listed in USD but paid out in stablecoins]

Bug Bounty Matching Programme with Immunefi

Not a member of Nexus Mutual? Don’t worry—we’ve got you covered.
Announcing the Nexus Mutual Bug Bounty Matching Programme: a free service offered by the mutual to better protect users of major DeFi protocols. Through our bug bounty matching programme and our cover policies, Nexus Mutual is dedicated to protecting a greater share of DeFi.

First Bug Bounty Matched by Nexus Mutual | $200,000 for Yearn Finance Disclosure

In March 2022, the mutual's bug bounty matching programme provided its first matching payout as part of our partnership with Immunefi. A $200,000 payout was made to an anonymous whitehat for finding a critical vulnerability in Yearn Finance that has since been patched. No funds were lost. This means the whitehat earned a total of $400,000 for their responsible disclosure, $200,000 of which was from Yearn’s bounty payout.
Nexus Mutual was created to give people a way to hedge against the unique risks in on-chain markets. Members understand the role that bug bounties play in keeping users safe in DeFi. For more information about the first matching bug bounty, read Immunefi's announcement of the payout.

Second Bug Bounty Matched by Nexus Mutual | $50,000 for Synthetix Disclosure

In July 2022, the second matching bug bounty was awarded as part of our partnership with Immunefi to help secure more DeFi protocols. A $50,000 payout was made to whitehat thunderdeep14 for finding and disclosing a critical bug in Synthetix's smart contracts. The Synthetix team patched this bug shortly after receiving the report. The whitehat earned $100,000 for their responsible disclosure of a critical vulnerability as part of Synthetix' bug bounty program, and the whitehat will be earning an additional $50,000, making his total payout $150,000.
For more information about the first matching bug bounty, read Immunefi's announcement of the bugfix and payout.

Expansion of Bug Bounty Matching Programme

After the trial programme proved successful, members discussed a renewal proposal and voted to approve an expansion of the matching initiative to increase funding to $600,000 and enable more listed protocols to participate.
Nexus Mutual's bug bounty matching programme allows for protocols within certain ranges of active coverage to take advantage of this security initiative, which aims to increase the size of bug bounties to encourage the 10,000+ whitehats within Immunefi to review the codebase for these protocols and disclose critical vulnerabilities. You can find the requirements for eligibility below:
  • Projects that have an active bug bounty program on Immunefi
  • Matching is provided for bug bounties with a critical threat level rating.
  • Cap maximum total payouts at $600k but allow matching up to $600k for projects with greater than $8m in active cover; for projects with active cover between $2m and $8m, the matching bounty will be capped at $200k per bounty payout.
  • Matching ratio is $0.50 in matching for every $1 offered as a critical bug bounty (0.5:1)–the goal is to create a greater incentive for projects to increase the size of their critical bounty payouts, so long as there is demand for cover on Nexus Mutual.

Protocols Eligible for Nexus Mutual's Bug Bounty Matching Programme

Below, you can find the protocols that are eligible for the matching programme. This list is updated weekly based on the mutual's active coverage. For more information, review the programme on Immunefi.
Review of the protocols eligible for the mutual's bug bounty matching programme.
Is your protocol listed above but doesn't have a bug bounty programme managed by Immunefi? Sign up with Immunefi, get integrated with Nexus Mutual, and join the Nexus Mutual bug bounty matching programme!

Initial Launch of Matching Programme—September 2021

Nexus Mutual is a member-owned, member-operated organisation, and our members take security in DeFi seriously. Our community voted in favour of a trial Bug Bounty Matching Programme with Immunefi, the leading bug bounty platform serving DeFi protocols. With the mutual’s partnerships, listed protocols benefit from increased security by virtue of being listed on Nexus Mutual.
Through the Bug Bounty Matching Programme, Nexus Mutual will continue the work of keeping DeFi users safe, while using community funds to increase critical vulnerability payouts for listed protocols. At the launch of this programme, the mutual has chosen several Nexus Mutant favourites, or protocols with significant cover buys, to provide 1:1 matching payouts with up to 2500 NXM ($200,000) per valid critical bug report.
Immunefi has expanded bug bounty programmes within DeFi, and because of their diligent work, more blackhats are becoming whitehats. By working with Immunefi and incentivising disclosures for popular listed protocols, the mutual can further incentivise blackhats to become whitehats. Nexus Mutual exists to protect users in DeFi and prevent capital loss: the Bug Bounty Matching Programme allows our community to protect more DeFi users with incentives backed by NXM.
Below were the initial protocols selected for the Bug Bounty Matching Programme:
  • Alpha Finance | Critical Vulnerability Payout of $750,000
  • BadgerDAO | Critical Vulnerability Payout of $750,000
  • Bancor | Critical Vulnerability Payout of $100,000
  • Compound | Critical Vulnerability Payout of $50,000
  • Pool Together | Critical Vulnerability Payout of $25,000
  • Sushiswap | Critical Vulnerability Payout of $1,250,000
  • Synthetix | Critical Vulnerability Payout of $200,000
  • Vesper Finance | Critical Vulnerability Payout of $200,000
  • Yearn Finance | Critical Vulnerability Payout of $200,000
Immunefi outlines the process of this program in their announcement.
The way the program works is a straightforward, two-part process:
1. Any successful critical bug report (per Immunefi criteria) on an approved project is subsequently reviewed by the Nexus core team
2. If exploitation of the critical vulnerability would have resulted in a payout, the Nexus core team agrees to provide a 1:1 matching payout up to $200,000
To date, this programme has proven successful and members opted to renew, expand the programme to include additional listed protocols.
The Nexus Mutant community has enjoyed collaborating with DeFi security experts to make the ecosystem safer and improve the protections for the mutual’s listed protocols. Whether you are a DeFi power user or a multi-billion dollar protocol, Nexus Mutual has you covered.

Collaboration with Dedaub

A collaboration with Dedaub was approved after a Snapshot vote was held from 18 May 2021 to 25 May 2021. Members voted in favour for the proposal with 115,710 NXM (99.57%) voting "Yes" and 500.12 NXM (0.43%) voting "No" through Snapshot governance.
Any funds used for this partnership will come from the Nexus Treasury multi-sig.
Dedaub offers significant security expertise, combined with leading programme analysis technology to secure blockchain projects. Their technology offers most of the practical advantages of formal verification, without many of its burdens, enabling more thorough security audits.
Dedaub can detect all contracts that are part of each covered protocol and group them automatically (under human supervision). Subsequently, they can analyze the contracts and display warnings of vulnerabilities (or proto-vulnerabilities, i.e., components that when put together can make a service vulnerable).
The static warnings will be combined with queries on environmental conditions (e.g., approvals and balances in past transactions, state of initialisation of a contract, storage contents) to produce reports that can point to security issues. We will also maintain a contact database for each covered protocol. If a vulnerability is detected in a live system, we will contact the appropriate project team.
Dedaub's budget for the overall project will be at a baseline of $20K/mo (in NXM). The budgeting also anticipates bonus NXM to be paid if a vulnerability is detected that would have led to a claim payout.
This partnership will provide a competitive advantage for the mutual. Protocols will gain another layer of security just by being listed on Nexus Mutual.
In addition, Risk Assessors will benefit from third-party monitoring of listed smart contract systems. If a vulnerability is discovered, it will be disclosed to the team in question, which can prevent a loss event from happening. In turn, this reduces the change that Risk Assessors will have their stakes burned since losses can be prevented through this service.
To review the initial proposal and discussion, check out the post on the Nexus Mutual forum.
You can learn more about Dedaub through the following communication channels: Twitter Medium Website
Copy link
On this page
Audits
iosiro Audit: Stacked Risk, On-chain MCR, and Swap Operator Smart Contract Audit | May 2021
G0 Group Audit: Pooled Staking | June 2020
Solidified Audit: Smart Contracts and Associated Components | April 2019
Security
Immunefi Bug Bounty
Bug Bounty Matching Programme with Immunefi
Collaboration with Dedaub