Audits and Security
Review Nexus Mutual's audits, bug bounties, and initiatives to strengthen our ecosystem.

Audits

Below are a list of audits conducted on Nexus Mutual's smart contract system in order of newest to oldest. You can also review Nexus Mutual's GitHub where these reports are hosted.

iosiro Audit: Stacked Risk, On-chain MCR, and Swap Operator Smart Contract Audit | May 2021

iosiro was commissioned by Nexus Mutual to conduct a smart contract audit on their Stacked Risk, On-chain MCR and Swap Operator features.
The following audit was published and released in May 2021.

G0 Group Audit: Pooled Staking | June 2020

The G0 Group was commissioned by Nexus Mutual to conduct a smart contract audit on their Pooled Staking contract.
The following audit was published and released in June 2020.

Solidified Audit: Smart Contracts and Associated Components | April 2019

Solidified was commissioned by Nexus Mutual to conduct a smart contract audit on their smart contracts and associated components.
The following audit was published and released in April 2019.

Security

Nexus Mutual works to ensure our smart contract system is safe and secure. Regular audits are an important part of maintaining the security of our smart contract system, but there are several other approaches the mutual takes to keep the protocol secure.

Immunefi Bug Bounty

On Immunefi, hackers secure DeFi contracts, save funds from theft, and get paid doing it. Nexus is able to secure our protocol through this partnership with Immunefi.
Immunefi runs a bug bounty program for Nexus Mutual to incentivise hackers to disclose vulnerabilities in the mutual's smart contract system in exchange for payouts equal to the level of severity.
Smart Contracts and Blockchain
Critical | Up to $50,000 USD High | Up to $25,000 USD Medium | Up to $10,000 USD Low | Up to $2,000 USD [Bounties listed in USD but paid out in stablecoins]

Bug Bounty Matching Program with Immunefi

Not a member of Nexus Mutual? Don’t worry—we’ve got you covered.
Announcing the Nexus Mutual Bug Bounty Matching Program: a free service offered by the mutual to better protect users of major DeFi protocols. Through our bug bounty matching program and our cover policies, Nexus Mutual is dedicated to protecting a greater share of DeFi.
Nexus Mutual is a member-owned, member-operated organisation, and our members take security in DeFi seriously. Our community voted in favour of a trial Bug Bounty Matching Program with Immunefi, the leading bug bounty platform serving DeFi protocols. With the mutual’s partnerships, listed protocols benefit from increased security by virtue of being listed on Nexus Mutual.
Through the Bug Bounty Matching Program, Nexus Mutual will continue the work of keeping DeFi users safe, while using community funds to increase critical vulnerability payouts for listed protocols. At the launch of this program, the mutual has chosen several Nexus Mutant favourites, or protocols with significant cover buys, to provide 1:1 matching payouts with up to 2500 NXM ($200,000) per valid critical bug report.
Immunefi has expanded bug bounty programs within DeFi, and because of their diligent work, more blackhats are becoming whitehats. By working with Immunefi and incentivising disclosures for popular listed protocols, the mutual can further incentivise blackhats to become whitehats. Nexus Mutual exists to protect users in DeFi and prevent capital loss: the Bug Bounty Matching Program allows our community to protect more DeFi users with incentives backed by NXM.
Below are the initial protocols selected for the Bug Bounty Matching Program:
  • Alpha Finance | Critical Vulnerability Payout of $750,000
  • BadgerDAO | Critical Vulnerability Payout of $750,000
  • Bancor | Critical Vulnerability Payout of $100,000
  • Compound | Critical Vulnerability Payout of $50,000
  • Pool Together | Critical Vulnerability Payout of $25,000
  • Sushiswap | Critical Vulnerability Payout of $1,250,000
  • Synthetix | Critical Vulnerability Payout of $200,000
  • Vesper Finance | Critical Vulnerability Payout of $200,000
  • Yearn Finance | Critical Vulnerability Payout of $200,000
Immunefi outlines the process of this program in their announcement.
The way the program works is a straightforward, two-part process:
1. Any successful critical bug report (per Immunefi criteria) on an approved project is subsequently reviewed by the Nexus core team
2. If exploitation of the critical vulnerability would have resulted in a payout, the Nexus core team agrees to provide a 1:1 matching payout up to $200,000
If this program proves successful, the program may be expanded to include additional listed protocols. The Nexus Mutant community looks forward to collaborating with DeFi security experts to make the ecosystem safer and improve the protections for the mutual’s listed protocols. Whether you are a DeFi power user or a multi-billion dollar protocol, Nexus Mutual has you covered.
Is your protocol interested in the Nexus Mutual Bug Bounty Matching Program? Sign up with Immunefi and get integrated with Nexus.

Collaboration with Dedaub

A collaboration with Dedaub was approved after a Snapshot vote was held from 18 May 2021 to 25 May 2021. Members voted in favour for the proposal with 115,710 NXM (99.57%) voting "Yes" and 500.12 NXM (0.43%) voting "No" through Snapshot governance.
Any funds used for this partnership will come from the Community Fund Multi-sig.
Dedaub offers significant security expertise, combined with leading program analysis technology to secure blockchain projects. Their technology offers most of the practical advantages of formal verification, without many of its burdens, enabling more thorough security audits.
Dedaub can detect all contracts that are part of each covered protocol and group them automatically (under human supervision). Subsequently, they can analyze the contracts and display warnings of vulnerabilities (or proto-vulnerabilities, i.e., components that when put together can make a service vulnerable).
The static warnings will be combined with queries on environmental conditions (e.g., approvals and balances in past transactions, state of initialisation of a contract, storage contents) to produce reports that can point to security issues. We will also maintain a contact database for each covered protocol. If a vulnerability is detected in a live system, we will contact the appropriate project team.
Dedaub's budget for the overall project will be at a baseline of $20K/mo (in NXM). The budgeting also anticipates bonus NXM to be paid if a vulnerability is detected that would have led to a claim payout.
This partnership will provide a competitive advantage for the mutual. Protocols will gain another layer of security just by being listed on Nexus Mutual.
In addition, Risk Assessors will benefit from third-party monitoring of listed smart contract systems. If a vulnerability is discovered, it will be disclosed to the team in question, which can prevent a loss event from happening. In turn, this reduces the change that Risk Assessors will have their stakes burned since losses can be prevented through this service.
To review the initial proposal and discussion, check out the post on the Nexus Mutual forum.
You can learn more about Dedaub through the following communication channels: Twitter Medium Website