Nexus Mutual – a DeFi insurance platform – disclosed two security vulnerabilities discovered within the mutual’s code. Neither of the vulnerabilities were exploited and none of the mutual’s funds were compromised.
The discretionary cover provider announced yesterday that they received two vulnerability disclosures from community members earlier last week. These vulnerabilities come directly after the mutual’s first claims payout earlier last week from the bZx exploit.
Over the past week we have received two responsible vulnerability disclosures. None of them have been exploited and no mutual funds have been compromised.
Read the full report: https://t.co/5X1cPdqfXm
— Nexus Mutual (@NexusMutual) February 24, 2020
Vulnerability #1: Governance
The first vulnerability reported by blockchain developer Mudit Gupta was related to governance. The vulnerability impacted the mutual’s advisory board and the owner, unintentionally granting them additional privileges. The bug allowed advisory board members to whitelist a proposal for a given category while in practice the proposal would actually execute something else.
The core problem with this vulnerability is that it would have enabled Mutual members to vote on any arbitrary upgrade when in reality, they could be voting “yes” on a malicious action without their knowledge.
Nexus Mutual’s core team proposed a handful of solutions including:
- Adding the missing validation to directly address the bug, ensuring that proposed actions are properly restricted within each respective category
- Adding a delayed safeguard. This would implement a “speed bump” of 24h for all governance actions and the ability for Advisory Board members to cancel any malicious proposals
- The ability to leverage the emergency pause functionality in the case that a member created a proposal subject to unexpected voting.
Upon implementing the proposed solutions, Nexus Mutual’s developer team also discovered some categories of the proposal that are unaffected by the Emergency Pause. With that, the team decided to implement some additional precautions to mitigate the chances of these governance-related issues. This includes enforcing a whitelist for all governance proposals by advisory board members, updating governance settings so the EP can’t be passed unilaterally by any individual board member, and ensuring all AB members are using hardware wallets to improve the security of their voting power.
While none of the governance vulnerabilities have been exploited, it is important that the Mutual discloses these problems in a transparent manner. The permanent fixes to these bugs are in the final stages of developments and will be implemented in the next few days.
Until then, the Mutual hopes that the interim conservative governance mechanisms are robust enough to protect against any malicious proposals until the bug fixes are implemented.
I appreciate the prompt response from the team behind @NexusMutual. They took the disclosure seriously and took actions to mitigate the risks immediately.
I wish all other teams in this space were as responsive. https://t.co/plcHPqgt1G
— Mudit Gupta (@Mudit__Gupta) February 25, 2020
Vulnerability #2: Funds Exploit via Uniswap
On February 20th, the core team received another report from renowned security researcher Samczsun outlining a vulnerability that could put a significant portion of the mutual’s funds at risk.
Hope you haven’t had enough of Uniswap shenaniganshttps://t.co/8mxGPG0YHg
— Sam Sun (@samczsun) February 24, 2020
The mutual’s funds are currently held entirely in DAI and ETH. Whenever a claim is accepted, the mutual must ensure enough funds in the corresponding asset are available to pay out the claimant. If the amount being paid exceeds a certain threshold, the protocol exchanges the required amount in several batches with a time delay in-between. With this, the system relied on Oraclize to trigger the rebalance via Uniswap.
In other words, the vulnerability allowed any third party to trigger a treasury rebalance at any point in time.
Within 4 hours of receiving the report, the Mutual kill switched the system’s interaction with Uniswap, disabling the ability to execute this exploit. The team admitted that the bZx exploit should’ve raised a massive red flag for the mutual given the similarities in the mechanisms.
Now, if any claims in Dai are to be paid, Nexus Mutual will raise governance proposals to transfer the required ETH to the advisory board multi-sig, exchange them for Dai, and pay the underlying claim. In the longer-term, Nexus Mutual is aiming to integrate with a manipulation-resistant DEX and are currently evaluation options.
Nexus Mutual is fairly lucky with the above disclosures. Had Gupta or Samczsun not been honest acting security researchers, the mutual would’ve seen significant security vulnerabilities. Moreover, the mutual can’t cover itself in these attacks (they could potentially use another insurance protocol like Opyn in the future) and the execution of the exploits would’ve left Mutual members in a sticky situation.
For their responsible disclosures, the mutual is rewarding both Gupta and Sun with bug bounties. Based on the threat matrix, Gupta’s disclosure was considered a medium severity issue, due to its high impact and low likelihood of execution. As such, he received a $2,000 bounty for his disclosure.
On the other hand, Samczsun will receive a $5,000 bounty for his disclosure. The threat matrix categorized the vulnerability as a high severity issue given its potential impact and medium likelihood of being executed.
With the recent disclosures, Nexus Mutual has decided to launch a bug bounty program in the near future. The Mutual’s code was audited by the Solidified team in April 2019 prior to its mainnet launch back in May.
Ultimately, the work done by Samczsun and Mudit Gupta is invaluable for the DeFi ecosystem. Their responsible disclosures protect millions in public capital while aiding in the progression for DeFi protocols to become anti-fragile.
For more information surrounding the security vulnerabilities, feel free to refer to Nexus Mutual’s official post here.